Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies. Nat Sakimura Nomura Research Institute. www.oasis-open.org. Alice. How can I trust that the user is Alice? Is the data provided accurate?. IdP. RP. Can I trust this RP? - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
“Reputation is a subjective evaluation of the assertion about an entity being true based on factual and/or subjective data about it, and is used as one of the factors for establishing trust on that subject for a specific purpose. Reputation can be aggregated by rolling up opinions from smaller sets like individuals. ”
Protocol Requirements PR1. The reputation consumer SHOULD be able to obtain
the reputation file by specifying the assertion including the subject identifier.
PR2. Since the reputation data itself is often an sensitive data including PII, it SHOULD have the following security considerations:
SubjectID SHOULD be represented so that it cannot be traced back to the Subject, e.g., sha256(SubjectID, salt). This implies that the protocol should be a request-response protocol since otherwise the receiver cannot map the file to the Subject.
Be able to make the source detectable in the case of the leakage, the file should contain the requester ID.
To make the request forgery-proof, the request should contain the digital signature of the requesting party.
To protect from eavesdropping and MITM attacks, the response should be encrypted using a content encryption key (session key) which in turn is encrypted by the requesting party’s public key.
Considering that the mere fact that an entity is requesting a reputation representation of the subject may be a privacy risk, the request probably should be encrypted in the same manner as the response, with reputation authority’s public key.Source: ORMS TC, “Use Cases”