[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] REST Profile wd04 - Security
Indeed Ray, you already had SAML covered, and somehow I missed that paragraph. Thank you for the addition on the constrained delegation. Regards, Jean-Paul -----Original Message----- From: remon.sinnema@emc.com [mailto:remon.sinnema@emc.com] Sent: Wednesday, May 23, 2012 22:40 To: Jean-Paul Buu-Sao Cc: xacml@lists.oasis-open.org Subject: RE: [xacml] REST Profile wd04 - Security Jean-Paul, > -----Original Message----- > From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] > On Behalf Of Mr. Jean-Paul Buu-Sao > Sent: Wednesday, May 23, 2012 5:07 PM > To: xacml@lists.oasis-open.org > Subject: [xacml] REST Profile wd04 - Security > > I have added some suggested additions around <<...>> markers below: > > [...] This section describes some additional considerations that have > to do with the networked nature of a RESTful architecture<<, together > with the administrative capabilities setout by this profile>> > > 3.2 Authentication > HTTP status code 401 (Unauthorized) [HTTP] MAY be used to indicate > that an operation on a resource is denied because the <<requestor>> is > not authenticated > Note: replaced user by requestor because the profile is likely to be > used by non-human users as well Yes, good one. > Authentication means: You can mention Digest authentication, but then > other mechanisms should be mentioned as well, in a non normative way. > Example: federated authentication via SAML token The current text contains the following: "Additional standards like [OpenID], [SAMLv2] or [SASL] MAY be used instead of or in addition to HTTP Digest authentication." Is that not what you're looking for? > 3.3 Authorization > I suggest to add something along the lines: <<Implementations can > perform authorization based upon the identity of the requestor, as > well as on any appropriate additional, trusted, attribute>> (hence the > importance of mentioning federation above) > > "This specification RECOMMENDS that authorization be implemented using > XACML" is a correct statement but still is too vague. I suggest that > you have a specific section on constrained delegation that the > implementations must support, in order to authorize appropriate > administrative actions (such as: delete all versions of a policy set, > to your example). > The REST profile does not need to mandate constrained delegation, but > this model IMO should be recommended on all PAP actions I'll add something to that extent. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]