From d4f4463a8ee5371d87875504df11607060e2a519 Mon Sep 17 00:00:00 2001 From: Darrell O'Donnell Date: Wed, 31 Jan 2024 10:47:16 -0800 Subject: [PATCH] update trust story; defs Signed-off-by: Darrell O'Donnell --- spec/foreword.md | 12 +++++++++--- spec/terms_and_definitions.md | 13 ++++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/spec/foreword.md b/spec/foreword.md index e2b3f67..2909f4a 100644 --- a/spec/foreword.md +++ b/spec/foreword.md @@ -22,14 +22,20 @@ List significant changes (non-normative): ### On Trust, Trustworthy, and Trustworthiness -The terms [[ref:trust]], [[ref: trustworthy]], and [[ref: trustworthiness]] are loaded with varied meanings that often conflict. In the context of [[ref:trust registries]] we need to establish the scope of what we are talking about when we apply these terms to trust registires. There are baseline definitions that follow this limiting scope. +The terms [[ref:trust]] is loaded with varied meanings that often conflict. In the context of [[ref:trust registries]] we need to establish the scope of what we are talking about when we apply the term "trust" to trust registires. There are baseline definitions that follow this limiting scope. -A trust registry does not create trust. The decision for one entity to "trust" another is their decision. A trust registry may provide information that helps the consuming party (TODO: ref "consuming party" - find better term) in deciding that an entity is "trustworthy" (ie.. they are worthy of trust). +A trust registry does not create trust. The decision for one entity to "trust" another is their decision. A trust registry may provide information that helps the *consuming party* in deciding that an entity is [[ref: trustworthy]]. + +::: todo + define term "*consuming party*" - OR find better term and capture definition. +::: The results on a [[ref: trust decision]] based on input from a trust registry may range from: -* immedidate decision that the entity meets or cannot meet the full requirement of the [[ref:trust relationship]]; or +* immediate decision that the entity meets or cannot meet the full requirement of the [[ref:trust relationship]]; or * further input is required before trust decision can be made. +These decisions relate to a determination that a relationship is (or is not) sufficiently [[ref: trustworthy]] to establish a [[ref: trust relationship]]. To reach that determination, each party may have its own way of determining the [[ref: trustworthiness]] of their counterparty for the [[ref: trust relationship]] that they require. + The following terms are presented to help create a general understanding and may be only indirectly related to trust registry efforts: [[def: trust]] diff --git a/spec/terms_and_definitions.md b/spec/terms_and_definitions.md index b4103f3..767ad36 100644 --- a/spec/terms_and_definitions.md +++ b/spec/terms_and_definitions.md @@ -17,6 +17,14 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S [[def: assurance levels]] ~ TODO: +[[def: authentication]] (copied from ToIP Glossary) +~ Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. source: [NIST Special Publication 800-39](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf) + +[[def: authenticity]] (copied from ToIP Glossary) +~ The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. source: [NIST Special Publication 800-39](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf) + + + [[def: authorization]] ~ Access privileges granted to an entity; conveys an “official” sanction to perform a cryptographic function or other sensitive activity. * source: [NIST](https://csrc.nist.gov/glossary/term/permission) NIST SP 800-57 Part 2 Rev.1 under Authorization @@ -51,10 +59,13 @@ https://github.com/trustoverip/tswg-trust-registry-protocol/issues/6 [[def:secondary trust registry, secondary trust registries]] ~ TODO: +[[def: trust decision]] +~ A decision that a party needs to make about whether to engage in a specific interaction or transaction with another entity that involves real or perceived risks. source: [ToIP Glossary](https://docs.google.com/document/d/1fZByfuSOwszDRkE7ARQLeElSYmVznoOyJK4sxRvJpyM/edit#heading=h.m8c86ccqis9r) + [[def: trust list]] ~ A one-dimensional trust graph in which an authoritative source publishes a list of entities that are trusted in a specific trust context. A trust list can be considered a simplified form of a trust registry. -[[def: trust registry]] +[[def: trust registry, trust registries]] ~ A registry that serves as an **authoritative source** for **trust graphs** or other **governed information** describing one or more **trust communities**. A trust registry is typically **authorized** by a **governance framework**. See also: trust list [[def: trusted party]]