[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: [xacml-demo-tech] XACML InterOp at Burton Catalyst - scenario comments
Please review. Cheers, Dee From: Mark O'Neill [mailto:mark.oneill@vordel.com]
Hi Dee – I tried to send this but I don’t think I’m on the appropriate lists
Feel free to forward anything
Thanks -Mark
From: Mark O'Neill [mailto:mark.oneill@vordel.com]
Hi –
Here is some feedback based on a XACML PEP/PDP deployment for a telecoms customer which was deployed in 2005, and is in production today. The customer is using Vordel and Entrust products. The Vordel XML Gateways delegate AuthZ to the Entrust access control platform using the SAML AuthorizationDecisionQuery message.
I’ve attached a public document describing the customer deployment, which was published in the ISTR journal but which I notice now costs money for reprints. Here is the Word doc original. SAML 1.1 was used at the time.
One big item which I’d pull out of this document and feed into the interop scenarios is that it would be good to add scope for multiple PDPs. For this customer, it was important that there was no single point of failure. So, we cycle between different PDPs and if one becomes unavailable, there are still other PDPs there (configuration screen here: http://radio.weblogs.com/0111797/images/saml_pdp_url_grp.gif , Full description at: http://radio.weblogs.com/0111797/2007/01/22.html#a73 ). When the PDP comes back online, we start using it again. Now, I don’t think we should have all of this in the interop, but it would be good to counter the question about whether using a single PEP/PDP introduces a single point of failure. Certainly, for the customer whose deployment is described in the document, a single point of failure was not an option, and they focused much of their acceptance testing on this aspect of the solution.
Hope this helps Mark.
Mark O’Neill CTO, Vordel Phone: 617-848-0984
From: Denis Pilipchuk [mailto:dpilipch@bea.com]
Dear Rich,
Thanks a lot for coming up with this initial set. Here're my thoughts on the document and the described scenarios:
General document thoughts:
1. I’d like to state somewhere in the introduction section of the document that we separate the issues of settling on the details of exchange protocol/policy (which should be specified very precisely), and UI representation. They are really orthogonal, and each participating vendor should be able to decide, how much work they’d like to invest into putting together a sample PEP App (i.e. stock brokerage). Complexity here may range from a single static page with couple of entry boxes and buttons in the most primitive case case, to a rich interactive Web application. 2. The vendors should be free to develop and use a joint test application, if so desired. I.e. I’m proposing making development of the PEP part optional, as long as a vendor teams up with somebody else to present a working PEP – this way, we’ll have at least one working test application J It goes w/o saying that each vendor would have to have a XACML PDP and/or XACML policy import/export facility as a pre-condition of participation in the interop event.
Authorization Decision scenarios:
1. Section 1.1, last paragraph: we need to better separate actions from attributes. Credit limit and types of trades are definitely attributes, threshold – I doubt it, it’s rather a policy item, blocking access or assigning new managers I view as purely actions, checked and executed from PEP 2. Section 1.1, last paragraph, trading thresholds: since embedding security logic into applications is a bad security practice in general, and to demonstrate the power and flexibility of the XACML language, I’d like to suggest handling trading thresholds via policies, and just returning obligations to the PEP specifying whether approval is required or not 3. Section 1.1.1.1: I don’t think the authentication part should be handled by the document – instead, I’d limit this part to just “view account” action and leave all username/password details out of the scope. Any exchange between PEP and PDP assumes already authenticated user, passing a subject token which we’ll agree on
Additionally, in order to limit the scope of the application, I’d like to suggest having just 3 customer-based scenarios (view, purchase, trade) for the Authorization Decision, and move all management operations (manager access, manager approval, account management) for both managers and VPs to the Policy Import/Export set of scenarios. This will provide a clean and understandable separation of the applications in case somebody will participate in one scenario but not in another.
Regards, Denis _______________________________________________ Denis Pilipchuk
From: Rich Levinson [mailto:rich.levinson@oracle.com]
Hello Everyone from today's conference call,
All, Attached is a first draft of the proposed sample scenarios. It is intended for discussion. It is a very flexible concept: a managed brokerage account, where the customer can do stock trades in coordination with an account manager. This is the kind of thing one might find in high value accounts where the customer as well as the brokerage coordinate their efforts to meet the objectives. At the same time it is based around a simple core structure of 3 levels of user: customer, acct manager, vice president. It is intended that there be 2 accts, so one can see that certain parties have access to one the other or both. Also, there are approvals involved, so one can easily see workflow being integrated if desired. By nature it is very extensible and one could extend it to have partners involved such as a bank for bank transfers, a trading service to execute trades, etc. Again, the intent is to get a sample appl out there which can provide a context for doing an interesting Interop. The actual appl can be quite minimal, only supporting the key attributes that are involved in the scenarios or dressed up for other purposes. Finally, only the Authorization portion has been done with a couple simple scenarios to give the flavor of the demo. The xacml-demo-tech group can discuss exactly where we want to head with this and it is intended only to be a starting point. Thanks, Rich Dee Schur wrote: -------- Original Message --------
> Hi, > We just got off of a call with Burton and they once again, emphasized the > tremendous need for interoperability and the use of XACML. They are > confident that if we do it right, we will have a tremendous amount of > interest based on their customer feedback, and this is a very exciting > opportunity! > Prateek and Richard are working on the type of scenario that Burton would > like to see, more aggressive and compelling than the one we have developed > so far. > Also, they would like to see more participants. I will be doing a lot of > outreach in the next few days as Gerry mentioned many vendors that have > XACML embedded in their products but are not active in the TC. I would > invite your help here. If you know of other players in this space, please > shoot me an email with contact information ASAP. > If you are 'sitting on the fence,' and you would like me to speak with your > marketing contact to assure then of the value of participation, please let > me know. Burton has been very good to OASIS and they believe in our mission. > Their customer clamor volume for interoperability continues to increase. > Best regards, > Dee Schur > >
Invitation: Call to discuss XACML InterOp at Burton Catalyst -- Mrs. Dee Schur Call to discuss XACML InterOp at Burton Catalyst has been added by Mrs. Dee Schur Date: Wednesday, 21 March 2007 Time: 05:30pm - 06:30pm ET Event Description: Conference Call Information: 5:30PM EDT, 3:30 PM MT, 2:30 PM Pacific PHONE: +1-319-643-7750 GUEST: 857415# Agenda: This call is designed to discuss the XACML InterOp opportunity for all potential participants at the Burton Catalyst Conference in late June. Minutes: View event details: http://www.oasis-open.org/apps/org/workgroup/staff/event.php?event_id=14763 PLEASE NOTE: If the above link does not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser.
BEGIN:VCALENDAR METHOD:PUBLISH VERSION:2.0 PRODID:-//Kavi Corporation//NONSGML Kavi Groups//EN X-WR-CALNAME:My Calendar BEGIN:VEVENT CATEGORIES:MEETING STATUS:TENTATIVE DTSTAMP:20070320T000000Z DTSTART:20070321T213000Z DTEND:20070321T223000Z SEQUENCE:0 SUMMARY:Call to discuss XACML InterOp at Burton Catalyst DESCRIPTION:Conference Call Information:\n\n5:30PM EDT\, 3:30 PM MT\, 2:30 PM Pacific\n\nPHONE: +1-319-643-7750\n\nGUEST: 857415#\n\nGroup: Staff\nCreator: Mrs. Dee Schur URL:http://www.oasis-open.org/apps/org/workgroup/staff/event.php?event_id=14763 UID:http://www.oasis-open.org/apps/org/workgroup/staff/event.php?event_id=14763 END:VEVENT END:VCALENDAR
--
--
|
XACML, SAML, and WS-Trust for Protecting Transactions in a Telecoms Environment.doc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]