Trusted Sources of Information
By yvonne on Aug 16, 2007
I think many of us have had a seminal moment that wakes us up to an awareness of trust (or the lack thereof) on the internet. For me it was back in the early '90s when I received an email that stated that gang members in San Jose CA would drive around at night without their lights on and if anyone flashed their lights at them, the gang members would chase them and shoot them. I'd never received a hoax email before, so just unthinkingly forwarded the email to a friend who lived near there. My friend called the police and found out, fortunately, that it was a hoax. Afterward, I felt a little silly for believing something so ridiculous, but learned, sadly, that the age of internet innocence was long gone and that I would have to evaluate whether an email came from a trusted source of information.
When designing or reviewing application security mechanisms, I ask a similar question. "Are the security decisions based on information from a trusted source?"
This is an important question to ask when deciding between what I'll call a user-authoritative identity scheme and an organization-authoritative identity scheme. For the purposes of this post, in a user-authoritative identity scheme the user is in complete control of their identity and is considered the trusted source of information attributes about themselves. For example, If I sign up for an account at www.livejournal.com, I get to specify what my name is, which email address I'd like to use, and what my birthdate is. There are no checks or validations performed when I sign up because for this type of application, it's not necessary from a risk or trust perspective. If I say my name is Cinderella or Scheherazade, or that my age is 20 or 40 or 60 it is unlikely to matter to anyone because the nature of the application does not require trusted information.
In an organization-authoritative identity scheme, on the other hand, an organization (a company, hospital, government, university, non-profit etc.) owns a portion of the user's identity in that it serves as the authoritative source of information for it, with respect to that organization and any partner organizations. The organization (not the user) is the authoritative source for user attributes such as the user's employee/membership status and id number, job/member level, and access rights or entitlements within the organization(s). For example, if I ask for a AAA discount at a hotel, AAA is the authoritative source for whether I'm a member of this organization. If I apply for a loan, Sun Microsystems is the authoritative source of information about whether I'm employed by Sun. The bank isn't going to just trust me on that, because I might lie in order to get a loan. Similarly, when I use a Sun application, Sun (not me) is the authoritative source of information about what applications I'm allowed to access. So there are many scenarios where an organization-authoritative identity scheme is needed because the user might not be a trusted and authoritative source.
When designing any system, it is important to consider whether a user-authoritative or organization-authoritative identity scheme is most appropriate. It is helpful to evaluate the identity information that is used as a basis for security decisions. Is such information coming from a trusted source? Would the source stand to benefit if it supplied false or incomplete identity information? What could a person do if false identity information were supplied? Does the source have practices to ensure the integrity and correctness of the information supplied? These are a few examples of questions that can be used as a litmus test to evaluate the appropriateness of a design from an identity-centricity perspective.
In my next few posts I'll continue this thread on trusted sources of information, discussing how this relates to concepts such as user-centric identity, security, and risk as well as how we at Sun have used some of today's popular technologies, such as SAML and OpenID, to create identity systems of varying trust levels.