W3C home > Mailing lists > Public > public-did-wg@w3.org > January 2021

Re: Are we doing enough to align our work with Zero Trust Architecture?

From: Adrian Gropper <agropper@healthurl.com>
Date: Sun, 3 Jan 2021 18:19:00 -0500
Message-ID: <CANYRo8gA4+d-nV-6-kQVptKTJ+4JFGKPeNuappTsZoPFaojC0Q@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C DID Working Group <public-did-wg@w3.org>
Thanks @Manu on multiple counts. You noticed that my question was to the
broader group and you're willing to see my question as a standards issue.
I, however, think our responsibility as the standards devs is much more
than 30%.

Looking at the ZTA imperative through the lens of Confidential Storage or
EDVs is a missed opportunity. I'm a huge fan of standardizing EDVs, but
EDVs actually obscure the ZTA protocol issues.

Encryption at rest is a given. The issue is authentication, authorization,
and audit.

The most important message from the SolarWinds hack and much of the
ransomware havoc is that our systems are not set up for individual
accountability or independent audit.

The VC and ZCAPs perspective is inadequate. As an SSI community we need to
address the separation of concerns between authentication, authorization,
and audit as equally important and needing a harmonized best-practice
perspective. Standardized EDVs are table stakes but not terribly relevant
to the protocols that link authentication, authorization, and audit.
Confidential Storage should be adopting the protocols that connect
authentication, authorization, and audit rather than introducing protocols
narrowly scoped to the narrow and obvious role of encryption at rest.

I've put together a few slides in an attempt to clarify the relationship
between non-repudiable accountability and audits (and EDVs).
https://docs.google.com/presentation/d/1ksKal62ZiApX09Nejm4RSqHzHJbgwpu_l2Ho64_ePKU/edit#slide=id.p
I'd love to find a time to explain.

Adrian



On Sun, Jan 3, 2021 at 5:45 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 1/2/21 6:34 PM, Adrian Gropper wrote:
> > Please read
> >
> https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html
> >
> >
> > What would be a good way for our SSI communities to advance zero
> > trust architecture through more effective accountability and audit?
>
> Hmm, I think Dmitri and Daniel thought you were addressing the DIF
> Confidential Storage WG when you were, instead, addressing the DID WG?
>
> Let me start by pointing out that the SolarWinds attack was a supply
> chain attack and it is highly unlikely that what I'm going to say below
> would have prevented that. Sure, if everything was perfectly executed
> then maybe... but we shouldn't be so naive to think that reality comes
> close to good security practices (SolarWinds) or that breaches of
> security lead to lasting bad outcomes for the negligent (Equifax).
>
> The core of the question is probably, could Zero Trust Architecture have
> helped prevent the SolarWinds attack? The answer is probably no, because
> it happened due to negligence around security rather than a failure of
> good security practices.
>
> Could DIDs and VCs help with systems architected with Zero Trust in
> mind? Yeah, probably:
>
> 1) You could use VCs to prove that you should have certain levels of
>    access to certain systems. Checking this could happen automatically,
>    but while ensuring that you're "live" and not some bot.
>
> 2) Logs could be kept of which VCs were used when to receive the
>    authority to do something.
>
> 3) ZCAPs could be used to provide fine-grained access to very specific
>    resources, even behind the firewall, within an organizations systems.
>
> DIDs could power much of this... but shouldn't promise any of it. The
> closest we could probably get to what you're asking, Adrian, is to align
> the Zero Trust Architecture principles to how DIDs and VCs can help --
> primarily around: identity verification (VCs), login authentication
> (DIDs), least-privilege access (ZCAPs, Confidential Storage), and HTTP
> API access authorization (ZCAPs).
>
> You'll note that the above will only help you with about 30% of what
> ZTEs are about... the rest will cost you and arm and a leg (consultants
> or hiring qualified security people to implement real security
> processes, audits, and procedures). Don't know if we can help much
> there. That said, it wouldn't hurt to take a stab at how we might help
> with the items above.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>
Received on Sunday, 3 January 2021 23:19:25 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 3 January 2021 23:19:26 UTC