[Accred-Model] Version 1.5 of the Accreditation and Access Model

Hollenbeck, Scott shollenbeck at verisign.com
Mon May 14 11:25:52 UTC 2018 

A few comments on Annex I, "REGISTRATION DIRECTORY SERVICE ACCREDITATION AUTHORITY HIGH-LEVEL REQUIREMENTS"



"First, the access to RDAP does not have to rely on the availability of the identity provider which is a third-party required for federated authentication to work"



Any system that uses digital certificates *also* has a dependency on a third party - the CA. CAs are required to issues certificates, determine their validity periods, and to maintain Certificate Revocation Lists (CRLs) that MUST be checked to determine if a certificate is valid.



"Last but not least, when using digital certificates, the decision of whether or not to grant access is made entirely by the entity running the RDAP services instead of the identity provider which is a third party"



In the OpenID model the identity providers do not make access control decisions. They provide information to the Relying Parties (RPs), who use that information to make an access control decision.



There is one significant difference between this model and the OpenID model that this annex fails to note: this use of a client certificate identifies and authenticates the client at the *transport* layer when a TLS connection is established between the client and the RDAP server. The RDAP server software has no idea who the client is or what the purpose of their query is. In the OpenID model, the client is identified and authenticated at the *application* layer, and the RDAP software that has to make the access control decision has full access to all of the information needed to make an access control decision.



While these models may appear similar, they serve two fundamentally different purposes. Mutual TLS authentication is used to determine if a server should allow a connection from a client. OpenID and OAuth are used to determine if a client is appropriately authenticated and authorized for access to data. Both types of service may be needed here, but they shouldn't be incorrectly conflated.



Scott



From: Accred-Model [mailto:accred-model-bounces at icann.org] On Behalf Of Vayra, Fabricio (Perkins Coie)
Sent: Friday, May 11, 2018 10:25 AM
To: accred-model at icann.org
Subject: [EXTERNAL] [Accred-Model] Version 1.5 of the Accreditation and Access Model



Attached for discussion and additional comment is version 1.5 of the Accreditation and Access Model.  This, following comment and input from many parts of the community, is a much richer and robust model.  Many thanks to those who made constructive contributions.



Thank you again for your input and support.



Fabricio Vayra | Perkins Coie LLP

PARTNER

D. +1.202.654.6255





  _____


NOTICE: This communication may contain privileged or other confidential information. If you have received it in error, please advise the sender by reply email and immediately delete the message and any attachments without copying or disclosing the contents. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180514/67877057/attachment.html>

More information about the Accred-Model mailing list