idnits 2.17.1 

draft-richer-vectors-of-trust-12.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (June 29, 2018) is 2128 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'A-Z' is mentioned on line 643, but not defined

  == Unused Reference: 'RFC8259' is defined on line 827, but no explicit
     reference was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. 'OpenID'

  -- Obsolete informational reference (is this intentional?): RFC 7525 (ref.
     'BCP195') (Obsoleted by RFC 9325)


     Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                     J. Richer, Ed.
3	Internet-Draft                                       Bespoke Engineering
4	Intended status: Standards Track                            L. Johansson
5	Expires: December 31, 2018                    Swedish University Network
6	                                                           June 29, 2018

8	                            Vectors of Trust
9	                    draft-richer-vectors-of-trust-12

11	Abstract

13	   This document defines a mechanism for describing and signaling
14	   several aspects of a digital identity transaction and its
15	   participants.  These aspects are used to determine the amount of
16	   trust to be placed in that transaction.

18	Requirements Language

20	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
21	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
22	   "OPTIONAL" in this document are to be interpreted as described in BCP
23	   14 RFC 2119 [RFC2119] RFC 8174 [RFC8174] when, and only when, they
24	   appear in all capitals, as shown here.

26	Status of This Memo

28	   This Internet-Draft is submitted in full conformance with the
29	   provisions of BCP 78 and BCP 79.

31	   Internet-Drafts are working documents of the Internet Engineering
32	   Task Force (IETF).  Note that other groups may also distribute
33	   working documents as Internet-Drafts.  The list of current Internet-
34	   Drafts is at https://datatracker.ietf.org/drafts/current/.

36	   Internet-Drafts are draft documents valid for a maximum of six months
37	   and may be updated, replaced, or obsoleted by other documents at any
38	   time.  It is inappropriate to use Internet-Drafts as reference
39	   material or to cite them other than as "work in progress."

41	   This Internet-Draft will expire on December 31, 2018.

43	Copyright Notice

45	   Copyright (c) 2018 IETF Trust and the persons identified as the
46	   document authors.  All rights reserved.

48	   This document is subject to BCP 78 and the IETF Trust's Legal
49	   Provisions Relating to IETF Documents
50	   (https://trustee.ietf.org/license-info) in effect on the date of
51	   publication of this document.  Please review these documents
52	   carefully, as they describe your rights and restrictions with respect
53	   to this document.  Code Components extracted from this document must
54	   include Simplified BSD License text as described in Section 4.e of
55	   the Trust Legal Provisions and are provided without warranty as
56	   described in the Simplified BSD License.

58	Table of Contents

60	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
61	     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
62	     1.2.  Identity Model  . . . . . . . . . . . . . . . . . . . . .   5
63	     1.3.  Component Architecture  . . . . . . . . . . . . . . . . .   5
64	   2.  Component Dimension Definitions . . . . . . . . . . . . . . .   6
65	     2.1.  Identity Proofing (P) . . . . . . . . . . . . . . . . . .   7
66	     2.2.  Primary Credential Usage (C)  . . . . . . . . . . . . . .   7
67	     2.3.  Primary Credential Management (M) . . . . . . . . . . . .   8
68	     2.4.  Assertion Presentation (A)  . . . . . . . . . . . . . . .   8
69	   3.  Communicating Vector Values to RPs  . . . . . . . . . . . . .   9
70	     3.1.  On-the-Wire Representation  . . . . . . . . . . . . . . .   9
71	     3.2.  In OpenID Connect . . . . . . . . . . . . . . . . . . . .  10
72	   4.  Requesting Vector Values  . . . . . . . . . . . . . . . . . .  11
73	     4.1.  In OpenID Connect . . . . . . . . . . . . . . . . . . . .  11
74	   5.  Trustmarks  . . . . . . . . . . . . . . . . . . . . . . . . .  12
75	   6.  Defining New Vector Values  . . . . . . . . . . . . . . . . .  12
76	   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
77	   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
78	     8.1.  Vector of Trust Components Registry . . . . . . . . . . .  13
79	       8.1.1.  Registration Template . . . . . . . . . . . . . . . .  14
80	       8.1.2.  Initial Registry Contents . . . . . . . . . . . . . .  14
81	     8.2.  Additions to the OAuth Parameters Registry  . . . . . . .  15
82	     8.3.  Additions to JWT Claims Registry  . . . . . . . . . . . .  16
83	     8.4.  Additions to OAuth Token Introspection Response . . . . .  16
84	   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
85	   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  17
86	   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
87	     11.1.  Normative References . . . . . . . . . . . . . . . . . .  17
88	     11.2.  Informative References . . . . . . . . . . . . . . . . .  18
89	   Appendix A.  Vectors of Trust Default Component Value Definitions  19
90	     A.1.  Identity Proofing . . . . . . . . . . . . . . . . . . . .  19
91	     A.2.  Primary Credential Usage  . . . . . . . . . . . . . . . .  19
92	     A.3.  Primary Credential Management . . . . . . . . . . . . . .  20
93	     A.4.  Assertion Presentation  . . . . . . . . . . . . . . . . .  20
94	   Appendix B.  Document History . . . . . . . . . . . . . . . . . .  21
95	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  23

97	1.  Introduction

99	   Methods for measuring trust in digital identity transactions have
100	   historically fallen into two main categories: either all measurements
101	   are combined into a single scalar value, or trust decisions are
102	   calculated locally based on a detailed set of attribute metadata.
103	   This document defines a method of conveying trust information that is
104	   more expressive than a single value but less complex than
105	   comprehensive attribute metadata.

107	   Prior to the third edition [SP-800-63-3] published in 2017, NIST
108	   Special Publication 800-63 [SP-800-63-2] used a single scalar
109	   measurement of trust called a Level of Assurance (LoA).  An LoA can
110	   be used to compare different transactions within a system at a coarse
111	   level.  For instance, an LoA4 transaction is generally considered
112	   more trusted (across all measured categories) than an LoA2
113	   transaction.  The LoA for a given transaction is computed by the
114	   identity provider (IdP) and is consumed by a relying party (RP).
115	   Since the trust measurement is a simple numeric value, it's trivial
116	   for RPs to process and compare.  However, since each LoA encompasses
117	   many different aspects of a transaction, it can't express many real-
118	   world situations.  For instance, an anonymous user account might have
119	   a very strong credential, such as would be common of a whistle-blower
120	   or political dissident.  Despite the strong credential, the lack of
121	   identity proofing would make any transactions conducted by the
122	   account to fall into a low LoA.  Furthermore, different use cases and
123	   domains require subtly different definitions for their LoA
124	   categories, and one group's LoA2 is not equivalent or even comparable
125	   to another group's LoA2.

127	   Attribute based access control (ABAC) systems used by RPs may need to
128	   know details about a user's attributes, such as how recently the
129	   attribute data was verified and by whom.  Attribute metadata systems
130	   are capable of expressing extremely fine-grained detail about the
131	   transaction.  However, this approach requires the IdP to collect,
132	   store, and transmit all of this attribute data for the RP's
133	   consumption.  The RP must process this data, which may be prohibitive
134	   for trivial security decisions.

136	   Vectors of Trust (VoT) seeks a balance between these two alternatives
137	   by allowing expression of multiple aspects of an identity transaction
138	   (including but not limited to identity proofing, credential strength,
139	   credential management, and assertion strength), without requiring
140	   full attribute metadata descriptions.  This method of measurement
141	   gives more actionable data and expressiveness than an LoA, but is
142	   still relatively easy for the RP to process.  It is anticipated that
143	   VoT can be used alongside more detailed attribute metadata systems as
144	   has that proposed by NISITIR 8112 [NISTIR-8112].  The RP can use the
145	   vector value for most basic decisions but be able to query the IdP
146	   for additional attribute metadata where needed.  Furthermore, it is
147	   anticipated that some trust frameworks will provide a simple mapping
148	   between certain sets of vector values to LoAs, for RPs that do not
149	   have a need for the vector's more fine-grained detail.  In such
150	   systems, an RP is given a choice of how much detail to request from
151	   the IdP in order to process a given transaction.

153	   This document defines a data model for these vectors and an on-the-
154	   wire format for conveying them between parties, anchored in a trust
155	   definition.  This document also provides guidance for defining values
156	   for use in conveying this information, including four component
157	   categories and guidance on defining values within those categories.
158	   Additionally, this document defines a general-purpose set of
159	   component values in an appendix (Appendix A) for use cases that do
160	   not need something more specific.

162	1.1.  Terminology

164	   Identity Federation  A protocol in which an Identity Provider (IdP)
165	      asserts a user's identity information to a relying party (RP)
166	      through the use of a cryptographic assertion or other verifiable
167	      mechanism, or a system implementing such a protocol.  Also
168	      referred to simply as "federation".

170	   Identity Provider (IdP)  A system that manages identity information
171	      and is able to assert this information across the network through
172	      an identity API.

174	   Identity Subject  The individual (user) engaging in the identity
175	      transaction, being identified by the identity provider to the
176	      relying party.

178	   Identity Proofing  The process of verifying and validating that a set
179	      of identity attributes belongs to a real-world identity subject.

181	   Primary Credential  The means used by the identity subject to
182	      authenticate to the identity provider.

184	   Federated Credential  The assertion presented by the IdP to the RP
185	      across the network to authenticate the user.

187	   Relying Party (RP)  A system that consumes identity information from
188	      an IdP for the purposes of authenticating the user.

190	   Trust Framework  A document containing business rules and legal
191	      clauses that defines how different parties in an identity
192	      transaction may act.

194	   Trustmark  A URL referencing a specific Trust Framework and its
195	      definition of vector components and vector component values.

197	   Trustmark Provider  Defines the trust framework referenced by its
198	      trustmark, and can verify that a given system (such as an identity
199	      provider) is both capable of asserting and allowed to assert the
200	      vector component values it is claiming.

202	   Vector  A multi-part data structure, used here for conveying
203	      information about an authentication transaction.

205	   Vector Component  One of several constituent parts that make up a
206	      vector, indicating a category of information.

208	   Vector Component Value  One of the values applied to a vector
209	      component within a vector.

211	1.2.  Identity Model

213	   This document assumes the following model for identity based on
214	   identity federation technologies:

216	   The identity subject (also known as the user) is associated with an
217	   identity provider which acts as a trusted third party on behalf of
218	   the user with regard to a relying party by making identity assertions
219	   about the user to the relying party.

221	   The real-world individual represented by the identity subject is in
222	   possession of a primary credential bound to the identity subject by
223	   the identity provider (or an agent thereof) in such a way that the
224	   binding between the credential and the real-world user is a
225	   representation of the identity proofing process performed by the
226	   identity provider (or an agent thereof) to verify the identity of the
227	   real-world individual.  This information is carried across the
228	   network as part of an identity assertion presented to the relying
229	   party during the authentication transaction.

231	1.3.  Component Architecture

233	   The term Vectors of Trust is inspired by the mathematical construct
234	   of a vector, which is defined as an item composed of multiple
235	   independent values.

237	   An important goal for this work is to balance the need for simplicity
238	   (particularly on the part of the relying party) with the need for
239	   expressiveness.  As such, this vector construct is designed to be
240	   composable and extensible.

242	   All components of the vector construct MUST be orthogonal such that
243	   no aspect of a component overlaps an aspect of another component, as
244	   much as is possible.

246	2.  Component Dimension Definitions

248	   This specification defines four orthogonal components: identity
249	   proofing, primary credential usage, primary credential management,
250	   and assertion presentation.

252	   This specification also defines values for each of these component to
253	   be used in the absence of a more specific trust framework in
254	   Appendix A.  It is expected that trust frameworks will provide
255	   context, semantics, and mapping to legal statutes and business rules
256	   for each value in each component.

258	   Consequently, a particular vector value can only be compared with
259	   vectors defined in the context of a specific trust framework.  The RP
260	   MUST understand and take into account the trust framework context in
261	   which a vector is being expressed in order to process a vector
262	   correctly.

264	   Each component is identified by a demarcator consisting of a single
265	   uppercase ASCII letter in the range "[A-Z]".  The demarcator SHOULD
266	   reflect the category with which it is associated in a natural manner.
267	   Demarcators for components MUST be registered as described in
268	   Section 8.  It is anticipated that trust framework definitions will
269	   use this registry to define specialized components, though it is
270	   RECOMMENDED that trust frameworks re-use existing components
271	   categories wherever possible.  Different trust frameworks SHOULD use
272	   the same component for similar information, but since the processing
273	   for all vector values is contextual to a trust framework, the exact
274	   semantics of interpreting a component will vary based on the trust
275	   framework in use.

277	   The value for a given component within a vector of trust is defined
278	   by its demarcator character followed by a single digit or lowercase
279	   ASCII letter in the range "[0-9a-z]".  Categories which have a
280	   natural ordering SHOULD prefer digits, with larger digits indicating
281	   stronger assertions than smaller digits.  Categories which do not
282	   have a natural ordering, or which can have an ambiguous ordering,
283	   SHOULD prefer letters.  Note that while letters could also imply
284	   order, they can also more naturally be used mnemonically.  Trust
285	   frameworks MAY use any possible values within a category without the
286	   need for them to be contiguous.

288	   Categories MAY use both letters and digits simultaneously.  For
289	   example, a category could define "0" as meaning "no statement is
290	   made" while using letters such as "a", "b", "c" for normal values to
291	   indicate specific options.  Another system could have an ordered base
292	   set of digits with additional details provided by letters.

294	   Each component MAY be repeated with multiple different values within
295	   a single vector, representing the logical AND of the values (see
296	   Section 3.1 for details).  The same component and value combination
297	   MUST NOT be repeated within a single vector.  For example, a vector
298	   could contain both "P1" and "Pa" but not two instances of "P1".  A
299	   trust framework MAY define additional restrictions on combinations of
300	   values.

302	   Regardless of the type of value, the RP MUST NOT assume that the
303	   values assigned to each component of a vector have inherent ordinal
304	   or subsumptive properties when compared to the same or other
305	   components in the vector space without specific knowledge of the
306	   trust framework in use.  In other words, "1" is always different from
307	   "2", but it is dangerous to assume that "2" is always better than "1"
308	   or that "2" satisfies all the requirements of "1".

310	2.1.  Identity Proofing (P)

312	   The Identity Proofing dimension defines, overall, how strongly the
313	   set of identity attributes have been verified and vetted.  In other
314	   words, this dimension describes how likely it is that a given digital
315	   identity transaction corresponds to a particular (real-world)
316	   identity subject.  For example, did the user have to provide
317	   documentation to a trusted party to prove their legal name and
318	   address, or were they able to self-assert such values?

320	   This dimension uses the "P" demarcator, such as "P0", "P1", etc.
321	   Most definitions of identity proofing will have a natural ordering,
322	   as more or less stringent proofing can be applied to an individual
323	   being granted an account.  In such cases it is RECOMMENDED that a
324	   digit be used for this component and that only a single value be
325	   allowed to be communicated in a transaction.

327	2.2.  Primary Credential Usage (C)

329	   The primary credential usage dimension defines how strongly the
330	   primary credential can be verified by the IdP.  In other words, how
331	   easily that credential could be spoofed or stolen.  For example, did
332	   the user log in using a password, with a biometric, with a
333	   cryptographic hardware device, or some combination of the above?

335	   This dimension uses the "C" demarcator, such as "Ca", "Cb", etc.
336	   Most definitions of credential usage will not have an overall natural
337	   ordering, as there may be several equivalent classes described within
338	   a trust framework.  In such cases it is RECOMMENDED that a letter be
339	   used for this component and that multiple distinct credential usage
340	   factors be allowed to be communicated simultaneously, such as when
341	   Multi-Factor Authentication is used.

343	2.3.  Primary Credential Management (M)

345	   The primary credential management dimension conveys information about
346	   the expected lifecycle of the primary credential in use, including
347	   its binding, rotation, and revocation.  In other words, the use and
348	   strength of policies, practices, and security controls used in
349	   managing the credential at the IdP and its binding to the intended
350	   individual.  For example, can the user bring their own cryptographic
351	   device or is one provided by the IdP?

353	   This dimension uses the "M" demarcator, such as "Ma", "Mb", etc.
354	   Most definitions of credential management will not have an overall
355	   natural ordering, though there can be preference and comparison
356	   between values in some circumstances.  In such cases it is
357	   RECOMMENDED that a letter be used for this component and that
358	   multiple distinct values be allowed to be communicated
359	   simultaneously.

361	2.4.  Assertion Presentation (A)

363	   The Assertion Presentation dimension defines how well the given
364	   digital identity can be communicated across the network without
365	   information leaking to unintended parties, and without spoofing.  In
366	   other words, this dimension describes how likely it is that a given
367	   digital identity was asserted by a given identity provider for the
368	   identity subject of a given transaction.  While this information is
369	   largely already known by the RP as a side effect of processing an
370	   identity assertion in a federation protocol, this dimension is still
371	   very useful when the RP requests a login (Section 4) and when
372	   describing the capabilities of an IdP.  This value also allows the RP
373	   to detect when an assertion is presented in a manner it was not
374	   intended for, as may be the case with an attack.

376	   This dimension uses the "A" demarcator, such as "Aa", "Ab", etc.
377	   Most definitions of assertion presentation will not have an overall
378	   natural ordering.  In such cases, it is RECOMMENDED that a letter be
379	   used for this component and that multiple values be allowed to be
380	   communicated simultaneously.

382	3.  Communicating Vector Values to RPs

384	   A vector of trust is designed to be used in the context of an
385	   identity and authentication transaction, providing information about
386	   the context of a federated credential.  The vector therefore needs to
387	   be able to be communicated in the context of the federated credential
388	   in a way that is strongly bound to the assertion representing the
389	   federated credential.

391	   This vector has several requirements for use.

393	   o  All applicable vector components and values need to be combined
394	      into a single vector.

396	   o  The vector can be communicated across the wire unbroken and
397	      untransformed.

399	   o  All vector components need to remain individually available, not
400	      "collapsed" into a single value.

402	   o  The vector needs to be protected in transit.

404	   o  The vector needs to be cryptographically bound to the assertion
405	      which it is describing.

407	   o  The vector needs to be interpreted in the context of a specific
408	      trust framework definition identified by a trustmark URL.

410	   These requirements lead us to defining a simple string-based
411	   representation of the vector that can be incorporated within a number
412	   of different locations and protocols without further encoding.

414	3.1.  On-the-Wire Representation

416	   The vector MUST be represented as a period-separated ('.') list of
417	   vector components.  A vector component type can occur multiple times
418	   within a single vector, but a specific value of a vector component
419	   can not occur more than once in a single vector.  That is, while
420	   "Cc.Cd" is a valid vector, "Cc.Cc" is not.  Multiple values for a
421	   component are considered a logical AND of the values.

423	   Vector component values MAY appear in any order within a vector, and
424	   the RP MUST consider different orderings of the same vector
425	   equivalent during processing.  For example, "P1.Cc.Cd.Aa",
426	   "Aa.Cc.Cd.P1", "Cd.P1.Cc.Aa", and "Aa.P1.Cd.Cc" are all considered
427	   equivalent to each other.

429	   Possible vector components MAY be omitted from a vector.  No holding
430	   space is left for an omitted vector component.  If a vector component
431	   is omitted, the vector is making no claim for that component.  No
432	   default values are assumed for a missing component category.

434	   Vector values MUST be communicated along with of a trustmark URL
435	   (Section 5) to give the components and component values context.  The
436	   trustmark MUST be cryptographically bound to the vector value, such
437	   as the two values being carried together in a signed assertion.  A
438	   vector value without context is unprocessable, and vectors defined in
439	   different contexts are not directly comparable as whole values.
440	   Different trust frameworks MAY re-use component definitions
441	   (including their values), but processing of such cross-context values
442	   is outside the scope of this specification.

444	   For example, the vector "P1.Cc.Ab" translates to "pseudonymous, proof
445	   of shared key, signed browser-passed verified assertion, and no claim
446	   made toward credential management" in the context of this
447	   specification's definitions (Appendix A).  A different vector
448	   "Cb.Mc.Cd.Ac" translates to "known device, full proofing required for
449	   credential issuance and rotation, cryptographic proof of possession
450	   of a shared key, signed back-channel verified assertion, and no claim
451	   made toward identity proofing" in the same context.  Since no claim
452	   is made here for identity proofing, no specific value can be assumed
453	   by the RP.  Note that this doesn't mean the user wasn't proofed at
454	   all: it's possible that the user was fully proofed to the highest
455	   capabilities within the trust framework, but here the IdP not making
456	   any specific claim about proofing to the RP, perhaps to protect the
457	   user's privacy.

459	3.2.  In OpenID Connect

461	   In OpenID Connect [OpenID], the IdP MUST send the vector as a string
462	   within the "vot" (vector of trust) claim in the ID token.  The
463	   trustmark (Section 5) that applies to this vector MUST be sent as an
464	   URL in the "vtm" (vector trust mark) claim to provide context to the
465	   vector.

467	   The "vot" and "vtm" claims are interpreted by the RP to apply to the
468	   entire identity transaction, and not necessarily to any one attribute
469	   specifically.

471	   For example, assume that for the given trustmark, the body of an ID
472	   token claiming "pseudonymous, proof of shared key, signed back-
473	   channel verified token, and no claim made toward credential
474	   management" could look like this JSON object payload of the ID token.

476	   {
477	       "iss": "https://idp.example.com/",
478	       "sub": "jondoe1234",
479	       "vot": "P1.Cc.Ac",
480	       "vtm": "https://example.org/vot-trust-framework"
481	   }

483	   The body of the ID token is signed and optionally encrypted using
484	   JOSE, as per the OpenID Connect specification.  By putting the "vot"
485	   and "vtm" values inside the ID token, the vector and its context are
486	   strongly bound to the federated credential represented by the ID
487	   token.

489	   Vector values MAY be returned in a token introspection [RFC7662]
490	   response describing the ID token or access token issued during an
491	   OpenID Connect transaction using the same claims.

493	4.  Requesting Vector Values

495	   In some identity protocols, the RP can request that particular vector
496	   values be used for a given identity transaction.  An RP can describe
497	   the particular vector component values it desires the IdP assert for
498	   a given identity transaction by using the same syntax as defined in
499	   Section 3.1.  Processing and fulfillment of these requests are in the
500	   purview of the IdP and details are outside the scope of this
501	   specification.

503	   Future specifications MAY define alternative ways for an RP to
504	   request vector values from an IdP.

506	4.1.  In OpenID Connect

508	   In OpenID Connect [OpenID], the client MAY request a partial set of
509	   acceptable VoT values with the "vtr" (vector of trust request) claim
510	   request as part of the Request Object.  The value of this field is an
511	   array of JSON strings, each string identifying an acceptable set of
512	   vector components.  The component values within each vector are ANDed
513	   together while the separate vectors are ORed together.  For example,
514	   a list of vectors in the form {{ NOTE TO RFC EDITOR: change outer
515	   double quotes to single quotes in text version }} "["P1.Cb.Cc.Ab",
516	   "Ce.Ab"]" is stating that either the full set of "P1 AND Cb AND Cc
517	   AND Ab" simultaneously OR the full set of "Ce AND Ab" simultaneously
518	   are acceptable to this RP for this transaction.

520	   Vector request values MAY omit components, indicating that any value
521	   is acceptable for that component category, including omission of that
522	   component in the response vector.

524	   The mechanism by which the IdP processes the "vtr" and maps that to
525	   the authentication transaction are out of scope of this
526	   specification.

528	5.  Trustmarks

530	   A trustmark is a URL that references a specific set of vector values
531	   as defined by a trust framework.  This URL MUST point to a human-
532	   readable document that describes what components and values are
533	   valid, how they are used together, and what practices the component
534	   values represent within the trust framework.  The contents of the
535	   trustmark URL MUST be reachable by the operators or implementors of
536	   the RP.  The URL SHOULD be stable over time for a given trust
537	   framework to allow RPs to process incoming vectors in a consistent
538	   fashion.  New versions of a trust framework that require different
539	   processing rules SHOULD use a different trustmark URL.

541	   For example, [[this document URL]] is used as the trustmark to
542	   reference the values defined in Appendix A.

544	   The process of a trustmark provider determining the ability of a
545	   particular IdP to correctly assert values from a given trust
546	   framework is outside the scope of this specification.  Determining
547	   how an RP should apply the values of a given vector to the RP's
548	   processing is outside the scope of this specification.

550	6.  Defining New Vector Values

552	   Vectors of Trust is meant to be a flexible and reusable framework for
553	   communicating authentication data between networked parties in an
554	   identity federation protocol.  However, the exact nature of the
555	   information needed depends on the parties requiring the information
556	   and the relationship between them.  While this document does define a
557	   usable default set of values in Appendix A, it is anticipated that
558	   many situations will require an extension of this specification for
559	   their own use.

561	   Component categories such as those defined in Section 2 are intended
562	   to be general purpose and reusable in a variety of trust frameworks.
563	   Extension specifications SHOULD re-use existing category definitions
564	   where possible.  Extensions MAY create additional categories where
565	   needed by using the registry defined in Section 8.  The registry
566	   encourages re-use and discovery of existing categories across
567	   different implementations.  In other words, the "P" category in
568	   another framework SHOULD be used for identity proofing and related
569	   information.

571	   The values of components such as those defined in Appendix A are
572	   intended to be contextual to the defining trust document.  While this
573	   specification's component values are intended to be general-purpose
574	   and extensions MAY re-use the values and their definitions,
575	   implementations MUST define all allowable values.  As these values
576	   are always interpreted in the context of a trustmark, these values
577	   are not recorded in a central registry.  Consequently, a "P1" value
578	   from one framework and a "P1" value from another framework could have
579	   very different interpretations depending on their contextual trust
580	   framework documents, even though in both cases the "P" component is
581	   used for identity proofing in some fashion.

583	   Trust frameworks that implement specification SHOULD choose either a
584	   numerical ordering or a group category approach to component values
585	   as described in Section 2, though combinations of both types MAY be
586	   used.  Implementations of this specification MUST specify whether
587	   multiple values are allowed for each category, and while any
588	   component category is generally allowed to have multiple distinct
589	   values, a specific definition of a set of values in an extension MAY
590	   limit a given component category to a single value per transaction.
591	   It is RECOMMENDED that trust frameworks use a "0" value to indicate
592	   an empty or null condition for a given category (for example, no
593	   proofing being done or no authentication token being used).

595	   Extensions and implementations of this specification MUST be
596	   referenced by a unique trustmark URL (Section 5) to allow RPs to
597	   differentiate between different trust frameworks.

599	7.  Acknowledgements

601	   The authors would like to thank the members of the Vectors of Trust
602	   mailing list in the IETF for discussion and feedback on the concept
603	   and document, and the members of the ISOC Trust and Identity team for
604	   their support.  In particular, the authors would like to thank Paul
605	   Grassi, Jim Fenton, Sarah Squire, Benjamin Kaduk, John Bradley, and
606	   Karen O'Donoghue.

608	8.  IANA Considerations

610	   This specification creates one registry and registers several values
611	   into existing registries.

613	8.1.  Vector of Trust Components Registry

615	   This specification establishes the Vectors of Trust Components
616	   Registry.

618	   Component demarcators are registered by the Specification Required
619	   policy documented in [RFC8126].

621	   Criteria that should be applied by the Designated Experts includes
622	   determining whether the proposed registration duplicates existing
623	   functionality, whether it is likely to be of general applicability or
624	   whether it is useful only for limited applications (note that either
625	   is permissible though the former is to be preferred), and whether the
626	   registration description is clear.

628	   Registration requests sent to the vot@ietf.org mailing list for
629	   review should use an appropriate subject (e.g., "Request to register
630	   Vector of Trust Component name: example").  The Designated Expert(s)
631	   will provide review within a two-week period and either approve or
632	   deny the registration request, communicating this decision to the
633	   review list and IANA.  Denials should include an explanation and, if
634	   applicable, suggestions as to how to make the request successful.
635	   IANA must only accept registry updates from the Designated Expert(s)
636	   and should direct all requests for registration to the vot@ietf.org
637	   mailing list.  If the Designated Experts do not respond within the
638	   designated period, IANA should contact the IESG for guidance.

640	8.1.1.  Registration Template

642	   Demarcator Symbol
643	      An uppercase ASCII letter in the range [A-Z] representing this
644	      component (e.g., "X").

646	   Description:
647	      Brief description of the component (e.g., "Example description").

649	   Change controller:
650	      For IETF-stream RFCs, state "IESG".  For other documents, give the
651	      name of the responsible party.

653	   Specification document(s):
654	      Reference to the document(s) that specify the vector component,
655	      preferably including a URL that can be used to retrieve a copy of
656	      the document(s).  An indication of the relevant sections may also
657	      be included but is not required.

659	8.1.2.  Initial Registry Contents

661	   The Vector of Trust Components Registry contains the definitions of
662	   vector components and their associated demarcators.

664	   o  Demarcator Symbol: P
665	   o  Description: Identity proofing

667	   o  Change Controller: IESG

669	   o  Specification document(s):: [[ this document ]]

671	   o  Demarcator Symbol: C

673	   o  Description: Primary credential usage

675	   o  Change Controller: IESG

677	   o  Specification document(s):: [[ this document ]]

679	   o  Demarcator Symbol: M

681	   o  Description: Primary credential management

683	   o  Change Controller: IESG

685	   o  Specification document(s):: [[ this document ]]

687	   o  Demarcator Symbol: A

689	   o  Description: Assertion presentation

691	   o  Change Controller: IESG

693	   o  Specification document(s):: [[ this document ]]

695	8.2.  Additions to the OAuth Parameters Registry

697	   This specification adds the following values to the OAuth Parameters
698	   Registry established by [RFC6749].

700	   o  Name: vtr

702	   o  Description: Vector of Trust request

704	   o  Parameter usage location: authorization request, token request

706	   o  Change Controller: IESG

708	   o  Document: [[ this document ]]

710	8.3.  Additions to JWT Claims Registry

712	   This specification adds the following values to the JSON Web Token
713	   Claims Registry established by [RFC7519].

715	   o  Claim name: vot

717	   o  Description: Vector of Trust value

719	   o  Change Controller: IESG

721	   o  Document: [[ this document ]]

723	   o  Claim name: vtm

725	   o  Description: Vector of Trust trustmark URL

727	   o  Change Controller: IESG

729	   o  Document: [[ this document ]]

731	8.4.  Additions to OAuth Token Introspection Response

733	   This specification adds the following values to the OAuth Token
734	   Introspection Response established by [RFC7662].

736	   o  Name: vot

738	   o  Description: Vector of Trust value

740	   o  Change Controller: IESG

742	   o  Document: [[ this document ]]

744	   o  Name: vtm

746	   o  Description: Vector of Trust trustmark URL

748	   o  Change Controller: IESG

750	   o  Document: [[ this document ]]

752	9.  Security Considerations

754	   The vector of trust value needs to be cryptographically protected in
755	   transit between parties, such as by using TLS as described in
756	   [BCP195].  The vector of trust value must be associated with a
757	   trustmark by the RP processing the vector.  A signed OpenID Connect
758	   ID Token or a similarly signed assertion from another protocol would
759	   fulfil this requirement by carrying both the vector value and the
760	   trustmark URL as claims.

762	   The vector value is always associated with a trustmark and needs to
763	   be interpreted by the RP in the context of the trust framework
764	   defined by that trustmark.  Different trust frameworks can apply
765	   different interpretations to the same component value, much as was
766	   the case with LoA.  Therefore, an RP interpreting a component value
767	   in the wrong context could mistakenly accept or reject a request.  In
768	   order to avoid this mistake, RPs need to reject vectors that are
769	   defined in trust frameworks that they do not understand how to
770	   interpret properly.

772	   The VoT framework provides a mechanism for describing and conveying
773	   trust information.  It does not define any policies for an IdP
774	   determining which vector component values apply to a given
775	   transaction, nor does it define any policies for applying the values
776	   of a vector to an RP's security decision process.  These policies and
777	   associated practices are to be agreed upon by the IdP and RP, and
778	   they should be expressed in detail in an associated human-readable
779	   trust framework document available at the trustmark URL.

781	10.  Privacy Considerations

783	   By design, vector of trust values contain information about the
784	   user's authentication and associations that can be made thereto.
785	   Therefore, all aspects of a vector of trust contain potentially
786	   privacy-sensitive information and must be guarded as such.  Even in
787	   the absence of specific attributes about a user, knowledge that the
788	   user has been highly proofed or issued a strong token could provide
789	   more information about the user than was intended.  It is recommended
790	   that IdPs send and RPs request only the information necessary for
791	   their use case in order to prevent inadvertent information
792	   disclosure.

794	11.  References

796	11.1.  Normative References

798	   [OpenID]   Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect
799	              Core 1.0", November 2014.

801	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
802	              Requirement Levels", BCP 14, RFC 2119,
803	              DOI 10.17487/RFC2119, March 1997,
804	              <https://www.rfc-editor.org/info/rfc2119>.

806	   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
807	              RFC 6749, DOI 10.17487/RFC6749, October 2012,
808	              <https://www.rfc-editor.org/info/rfc6749>.

810	   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
811	              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
812	              <https://www.rfc-editor.org/info/rfc7519>.

814	   [RFC7662]  Richer, J., Ed., "OAuth 2.0 Token Introspection",
815	              RFC 7662, DOI 10.17487/RFC7662, October 2015,
816	              <https://www.rfc-editor.org/info/rfc7662>.

818	   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
819	              Writing an IANA Considerations Section in RFCs", BCP 26,
820	              RFC 8126, DOI 10.17487/RFC8126, June 2017,
821	              <https://www.rfc-editor.org/info/rfc8126>.

823	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
824	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
825	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

827	   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
828	              Interchange Format", STD 90, RFC 8259,
829	              DOI 10.17487/RFC8259, December 2017,
830	              <https://www.rfc-editor.org/info/rfc8259>.

832	11.2.  Informative References

834	   [BCP195]   Sheffer, Y., Holz, R., and P. Saint-Andre,
835	              "Recommendations for Secure Use of Transport Layer
836	              Security (TLS) and Datagram Transport Layer Security
837	              (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
838	              2015, <http://www.rfc-editor.org/info/bcp195>.

840	   [NISTIR-8112]
841	              National Institute of Standards and Technology, U.S.
842	              Department of Commerce, "A Proposed Schema for Evaluating
843	              Federated Attributes", NIST NISTIR 8112, January 2018,
844	              <https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html>.

846	   [SP-800-63-2]
847	              National Institute of Standards and Technology, U.S.
848	              Department of Commerce, "Electronic Authentication
849	              Guideline", NIST SP 800-63-2,
850	              DOI 10.6028/NIST.SP.800-63-2, August 2013,
851	              <https://dx.doi.org/10.6028/NIST.SP.800-63-2>.

853	   [SP-800-63-3]
854	              National Institute of Standards and Technology, U.S.
855	              Department of Commerce, "Digital Identity Guideline",
856	              NIST SP 800-63-3, DOI 10.6028/NIST.SP.800-63-3, June 2017,
857	              <https://doi.org/10.6028/NIST.SP.800-63-3>.

859	Appendix A.  Vectors of Trust Default Component Value Definitions

861	   The following general-purpose component definitions MAY be used when
862	   a more specific set is unavailable.  This document defines a trust
863	   framework for these component values.  The trustmark URL of this
864	   trust framework is [[ this document URL ]].

866	   Extensions and implementations of this specification SHOULD define
867	   their own component values as described in Section 6.  Where
868	   possible, extensions MAY re-use specific values and definitions as
869	   listed here, but those specific values MUST be re-listed.

871	A.1.  Identity Proofing

873	   The identity proofing component of this vector definition represents
874	   the level of scrutiny applied to the identity subject during the
875	   proofing process.  Higher levels are largely subsumptive of lower
876	   levels, such that "P2" fulfills requirements for "P1", etc.  Multiple
877	   distinct values from this category MUST NOT be used in a single
878	   transaction.

880	   P0 No proofing is done, data is not guaranteed to be persistent
881	      across sessions

883	   P1 Attributes are self-asserted but consistent over time, potentially
884	      pseudonymous

886	   P2 Identity has been proofed either in person or remotely using
887	      trusted mechanisms (such as social proofing)

889	   P3 There is a binding relationship between the identity provider and
890	      the identified party (such as signed/notarized documents,
891	      employment records)

893	A.2.  Primary Credential Usage

895	   The primary credential usage component of this vector definition
896	   represents distinct categories of primary credential that MAY be used
897	   together in a single transaction.  Multiple distinct values from this
898	   category MAY be used in a single transaction.

900	   C0 No credential is used / anonymous public service
901	   Ca Simple session HTTP cookies (with nothing else)

903	   Cb Known device

905	   Cc Shared secret such as a username and password combination

907	   Cd Cryptographic proof of key possession using shared key

909	   Ce Cryptographic proof of key possession using asymmetric key

911	   Cf Sealed hardware token / keys stored in a trusted platform module

913	   Cg Locally verified biometric

915	A.3.  Primary Credential Management

917	   The primary credential management component of this vector definition
918	   represents distinct categories of management that MAY be considered
919	   separately or together in a single transaction.  Many trust framework
920	   deployments MAY use a single value for this component as a baseline
921	   for all transactions and thereby omit it.  Multiple distinct values
922	   from this category MAY be used in a single transaction.

924	   Ma Self-asserted primary credentials (user chooses their own
925	      credentials and must rotate or revoke them manually) / no
926	      additional verification for primary credential issuance or
927	      rotation

929	   Mb Remote issuance and rotation / use of backup recover credentials
930	      (such as email verification) / deletion on user request

932	   Mc Full proofing required for each issuance and rotation / revocation
933	      on suspicious activity

935	A.4.  Assertion Presentation

937	   The assertion presentation component of this vector definition
938	   represents distinct categories of assertion which are RECOMMENDED to
939	   be used in a subsumptive manner but MAY be used together.  Multiple
940	   distinct values from this category MAY be used in a single
941	   transaction.

943	   Aa No protection / unsigned bearer identifier (such as an HTTP
944	      session cookie in a web browser)

946	   Ab Signed and verifiable assertion, passed through the user agent
947	      (web browser)

949	   Ac Signed and verifiable assertion, passed through a back channel

951	   Ad Assertion encrypted to the relying party's key

953	Appendix B.  Document History

955	   -12

957	   o  Replaced "person" with "individual" to constrain intent.

959	   o  Clarified component registration guidelines.

961	   o  Extended Trustmark Provider definition.

963	   o  Various grammatical cleanups.

965	   o  Call out "0" as a recommended "empty" value.

967	   o  Changed trustmark to URL instead of URI.

969	   -11

971	   o  Updated IANA.

973	   o  Minor language tweaks from AD review.

975	   o  Removed SAML implementation.

977	   -10

979	   o  Various fixes to respond to AD review.

981	   o  Added introspection response IANA registration.

983	   o  Cleaned up IANA entries.

985	   o  Removed confusing per-IdP trustmark and discovery sections.
986	      Adopted single trustmark definition instead.

988	   o  Added definition of identity federation.

990	   o  Added definition of identity proofing.

992	   o  Added examples to component sections.

994	   -08

996	   o  Incorporated shepherd comments.

998	   o  Updated references.

1000	   o  Added reference to NISTIR 8112.

1002	   o  Moved default component definitions to appendix.

1004	   -07

1006	   o  Rewrote introduction to clarify focus of document.

1008	   -06

1010	   o  Added section on extensions to VoT.

1012	   o  Made it so that every component category could be multi-valued.

1014	   o  Added reference to updated 800-63-3.

1016	   o  Fixed example text width.

1018	   o  Switched document back to standards-track from experimental now
1019	      that there are extensions in the wild.

1021	   -05

1023	   o  Updated IANA considerations section to include instructions.

1025	   o  Made security and privacy considerations non-normative.

1027	   -04

1029	   o  Updated SAML example to be consistent.

1031	   -03

1033	   o  Clarified language of LoA's in introduction.

1035	   o  Added note on operational security in trustmarks.

1037	   o  Removed empty sections and references.

1039	   -02

1041	   o  Converted C, M, and A values to use letters instead of numbers in
1042	      examples.

1044	   o  Updated SAML to a structured example pending future updates.

1046	   o  Defined guidance for when to use letters vs. numbers in category
1047	      values.

1049	   o  Restricted category demarcators to uppercase and values to
1050	      lowercase and digits.

1052	   o  Applied clarifying editorial changes from list comments.

1054	   - 01

1056	   o  Added IANA registry for components.

1058	   o  Added preliminary security considerations and privacy
1059	      considerations.

1061	   o  Split "credential binding" into "primary credential usage" and
1062	      "primary credential management".

1064	   - 00

1066	   o  Created initial IETF drafted based on strawman proposal discussed
1067	      on VoT list.

1069	   o  Split vector component definitions into their own section to allow
1070	      extension and override.

1072	   o  Solidified trustmark document definition.

1074	Authors' Addresses

1076	   Justin Richer (editor)
1077	   Bespoke Engineering

1079	   Email: ietf@justin.richer.org

1081	   Leif Johansson
1082	   Swedish University Network
1083	   Thulegatan 11
1084	   Stockholm
1085	   Sweden

1087	   Email: leifj@sunet.se
1088	   URI:   http://www.sunet.se