OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

id-cloud message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [id-cloud] Groups - IDCloud PaaS Profile -PDF uploaded

Hi Anil

I have a comment on
1.14 Use Case 26: Identity Impersonation / Delegation
1.14.1 Short description
Customers of the cloud provider may require a cloud provider to supply support that permits one identity to impersonates the identity of another customer without sacrificing security
If we are using the dictionary definition of impersonation ie. to pretend to be someone else, then I object to this use case as stated on two grounds: i) it is an oxymoron to say that if someone impersonates someone else you dont sacrifice security. The whole point of impersonation is that the relying party cannot tell the difference between the impersonator and the genuine person so security must be compromised for this to be the case ii) we should not support impersonation on any grounds, since the service provider/relying party cannot tell whether the user is the genuine one or an imposter. The SP/RP must be able to tell the difference.
Delegation on the other hand is very different to impersonation. With delegation, the user does not pretend to be someone else, but rather, he keeps his own identity. However, he can show that he is a delegate of another person by virtue of some delegation token. 

I would therefore propose rewording this use case to

1.14 Use Case 26: Delegation
1.14.1 Short description
Customers of the cloud provider may require a cloud provider to supply support that permits one identity to be delegated [access rights | one or more of the identity attributes] of another customer without sacrificing security.
I prefer "access rights" but the second alternative is more similar to the original wording 

regards

David

On 15/10/2012 18:58, Anil Saldhana wrote:

*Document Name*: IDCloud PaaS Profile -PDF
<https://www.oasis-open.org/apps/org/workgroup/id-cloud/document.php?document_id=47189>
------------------------------------------------------------------------
*Description*
This document outlines a profile for Identity Management for a PaaS Service
Model.
Download Latest Revision
<https://www.oasis-open.org/apps/org/workgroup/id-cloud/download.php/47189/latest/IDCloud-paas-v1.pdf>
Public Download Link
<https://www.oasis-open.org/committees/document.php?document_id=47189&wg_abbrev=id-cloud>
------------------------------------------------------------------------
*Submitter*: Mr. Anil Saldhana
*Group*: OASIS Identity in the Cloud TC
*Folder*: Work Documents
*Date submitted*: 2012-10-15 10:57:58

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]