RE: [wsrp][security] High-level scenario

["PAVLIK,GREGORY (HP-NewJersey,ex2)" <gregory_pavlik@hp.com>]

A couple of quick observations:

The text seems to imply an independent re-authentication of the user within
the WSRP service infrastructure after the portal has authenticated the user.
This is something that we will want to avoid if possible. For example, the
WSRP service made have a trust relationship defined with respect to the
client asserting forward it's identity.

It's not clear to me that the portal should necessarily send the users
identity and the portal identity. Does this case simply imply that we need
to support this but not mandate it? It's easy to imagine use cases where
where a business relationship between the portal provider and the WSRP
service provider is based on the two business entities independent of the
client identity; in such cases, it's possible that the client, for privacy
reasons, does not want to identified or tracked, or that the business
hosting the portal does not want individual users tracked.

Is this one of many scenarios that we'll be looking at?

Greg

-----Original Message-----
From: Cassidy, Mark [mailto:mcassidy@Netegrity.com]
Sent: Tuesday, April 02, 2002 3:42 PM
To: 'wsrp@lists.oasis-open.org'
Subject: [wsrp][security] High-level scenario


Please see the attached high-level scenario outlining security
considerations.  This is intended to be a seed for discussion in tomorrow's
telecon; additional scenarios need to be identifed and then fleshed out with
more details.  As was mentioned in today's joint wsia/wsrp interfaces call,
we should be looking at other standards efforts in the security space(SAML,
etc) and how they can address the needs we define in the WSRP context.
Ideally we could leverage those efforts and not need to invent anything that
is specific to WSRP.

Comments?

 <<WSRP Security Scenario.doc>>