[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: Authorization Server Protection Profile Public Review
This will be of interest to many members of the SAML and XACML TC's. Hal -----Original Message----- From: Norwood, Charles J [mailto:CHARLES.J.NORWOOD@saic.com] Sent: Wednesday, August 20, 2003 11:27 AM To: Paul Townsend (E-mail); Rob Philpott (E-mail); Randy Bowman (E-mail); 'teoakley@us.ibm.com'; 'mark.burns@entegrity.com'; 'pmorrison@netegrity.com'; 'pmishra@netegrity.com'; 'Jeff.Hodges@sun.com'; 'eve.maler@sun.com'; 'sanderson@opennetwork.com'; 'john.hughes@entegrity.com'; 'hlockhar@bea.com'; 'Irving.Reid@baltimore.com'; 'cknouse@oblix.com'; 'tim.moses@entrust.com' Cc: Troy L Young (E-mail); Wiser, Mickie K. Subject: Authorization Server Protection Profile Public Review To All, NSA's Information Assurance Directorate (IAD) and the Information Technology Infrastructure Services (ITIS) organizations have jointly sponsored the development of an Authorization Server Protection Profile for the Basic Robustness Environments. The draft of this document has undergone internal NSA review and is now ready to be posted on the IAFT website for public review and comment. Although the document should be available soon at https://www.iatf.net/protection_profiles/profiles.cfm, I wanted to send an advance copy to companies which have authorization server or identity management products to make sure it was thoroughly vetted through the industry. I obtained your names and e-mail address from various sources (previous contacts, company websites, and the OASIS Security Services TC mailing list). I recognize you may not be the correct person in your company to review this document, therefore I would appreciate your forwarding to others in your company for review. One of the challenges in drafting this document was describing a generic authorization server in the Target of Evaluation (TOE) description since there are may different approaches to implementing this service. The approach I have described is one with a central (or distributed) authorization decision engine and agents on web servers. I recognize that some implementations use alternative technology, like attribute certificates, or have the authorization decision engines collocated with the web server. Regardless of the implementation, I believe most of the functional security requirements should be the same. I would appreciate your insight on this issue. The public comment period for this document is going to be 30 days from when it is posted. Assuming it will be posted soon, I would like to have your comments by 22 September 2003. Please send comments via e-mail to myself (Charles.J.Norwood@saic.com) and the IAD Sponsor, Troy Young (TLYoun2@missi.ncsc.mil). If you desire to discuss the document with me, I can be reached at the numbers below. Hopefully this document will help companies who desire to obtain NIAP evaluations to meet the NSTISSP #11 requirements for selling products to the U.S. Government for use in national security systems. Thanks in advance for your help, Chuck Norwood <<Auth_Server_PP_Draft_Ver03_070103.doc>> ---------------------------------------------- Charles J Norwood Senior Systems Security Engineer SAIC Secure Business Solutions Group 410-953-6835 - Mobile 301-641-2132
Auth_Server_PP_Draft_Ver03_070103.doc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]