[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sca-policy] Issue 32
Yes, that's a reasonable suggestion. Let me paraphrase and amplify. We would have 2 authentication intents: clientAuthentication: client MUST authenticate the server to prevent man-in-the-middle attacks. mutualAuthentication: client and server MUST authenticate each other. All the best, Ashok David Booz wrote: > > I think we should introduce a new intent called 'mutualAuthentication' > to resolve the issue. > > I don't read the existing intent the same way you do. To me, it reads > such that it's all about clients authenticating to services. I'm not > sure how to clarify the existing intent but it seems we need to. > > Dave Booz > STSM, BPM and SCA Architecture > Co-Chair OASIS SCA-Policy TC and SCA-J TC > "Distributed objects first, then world hunger" > Poughkeepsie, NY (845)-435-6093 or 8-295-6093 > e-mail:booz@us.ibm.com > > Inactive hide details for ashok malhotra ---11/17/2008 03:22:18 > PM---http://www.osoa.org/jira/browse/POLICY-32 The title of thiashok > malhotra ---11/17/2008 03:22:18 > PM---http://www.osoa.org/jira/browse/POLICY-32 The title of this issue > is "Security intent which allows a > > > From: > ashok malhotra <ashok.malhotra@oracle.com> > > To: > OASIS Policy <sca-policy@lists.oasis-open.org> > > Date: > 11/17/2008 03:22 PM > > Subject: > [sca-policy] Issue 32 > > ------------------------------------------------------------------------ > > > > http://www.osoa.org/jira/browse/POLICY-32 > > The title of this issue is "Security intent which allows a client to > authenticate a server" > But let us look at the authentication intent which is currently in the > spec. Lines 1856-1859 in WD09: > > */authentication /*– the authentication intent is used to indicate that > a client must authenticate itself in order to use an SCA service. > Typically, the client security infrastructure is responsible for the > server authentication in order to guard against a "man in the middle" > attack. > > > I read this as saying that: > > > 1. The server must always authenticate itself to the client. > 2. If this intent is used it requires mutual authentication of the > client and server. > > > Thus, it seems to me, that the definition of the intent covers the issue > and we need not do anything > unless we want to cover the situation that the server is not > authenticated by the client. In that case, the default is no > authentication and we need two intents: > > - One to cover the case where the client authenticates the server > - The second to cover the case where the client and server authenticate > each other (mutual authentication). > > > -- > All the best, Ashok > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]