Friday 15 July 2011

Tree-Of-Trust

Overview

Enterprise applications of today are no longer independent, but dependent on other applications, services and components for completing their functionality. Authenticating/Trusting another application typically requires having a new authentication/identity management module written for each new application that is integrated. With the advent of claims based/token based authentication, this pain has been eased very much for a developer. Supporting protocols, standards and frameworks such as SAML, WS-Security, WS-Federation, WIF, ADFS etc playing a huge role.

As of today, A developer for application A requiring access to use services of application B would configure the identity providers supported by B to trust A. As this task is most of the time manual and done as part of the deployment phase, the identity management today can be treated static as such. In a world where SOA is exploited, there comes a need to build trusts dynamically, in the same manner as a service is discovered dynamically.

Influences:
Similar to humans who build trust based on relationships, introductions, recommendations etc, what is proposed in the "dynamic tree of trust" topic area is to have a mechanism that includes new frameworks, protocols, markups, standards that collectively assist in building trust dynamically.

Possibility 1:
An application A wanting to access the functionality/services of an application B can claim that its trusted by another set of applications and provide this set of trust using a markup language to application B. Application B can go through its list of internal tree of trusts and figure out if the trust claims are authentic.

Possibility 2:
An application A wanting to access the functionality/services of an application B can send its identity to application B. Application B internally can apply its 'tree-of-trust' locator algorithm to check if there is any identity provider that appears to know this application A.

Ranking trust:
A ranking mechanism can be used by application B to get the effective-trust index using :
a.) Number of providers that support/trust application A
b.) Depth/level within the 'tree-of-trust'.

Research Possibilities:
1.) Research into dynamically building trust; devise a fool-proof mechanism.
2.) Research into developing a set of
(1.1) protocols
(1.2) standards
(1.3) markups and a
(1.4) sample framework for applications to more easily build trust dynamically without any human interventions, while considering any current trends in claims based authentication/WS-* standards. Especially WS-Federation, WS-Trust.
3.) Research into machine learning mechanisms can be included within the framework to have more robust trust learning mechanism such that the effective ranking is based on prior identity success/failures.
4.) Research into more effective traversal algorithms when the logical structure (not necessarily implementation) of the trust-tree is tree based.
4.1) Research into querying identity providers n level deep on the authenticity of the requestor.
5.) Research into applications in mobile devices.


Applicable thoughts:
1.) Hard Trust - A direct trust setup on an identity provider
2.) Soft Trust - A trust that was build up dynamically. ST (0.5), ST(0.8) etc, wherein the index indicates the effective trust index/rank
3.) On-Behalf-Of – A trust that is directly vouched by another.