[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Interim requirements II!
Stephen, >[R-ReAuth] Ability for server to signal that re-authenticaiton is >required where you'd normally expect an authorization decision. > >I didn't phrase that too well, but I guess folks'll recognize the >issue. Let me test your theory that folks will recognize the issue. We discuss a requirement with our customers which may or may not be the same as this. We call it either "step-up authentication" or "authorization based on strength of authentication". The idea is that the authorization rules state that in order to be granted access to a resource, the requester must authenticate using a particular mechanism, which is normally viewed as "extra strong" or "strong enough for purposes of this specific access". We also discuss another requirement which is at least related to this. I don't think we have a name for it, so I'll make one up: "verification of presence". This requirement says that in order to perform some action the requester must re-authenticate (perhaps using the same mechanism as initial authentication) in order to verify that he or she hasn't walked away and abandoned a session which has subsequently been "adopted" by somebody else. People familiar with ATM machine security will recognize this one. Is either of these what you mean? Are both? --bob Bob Blakley Chief Scientist, Security Tivoli Systems, Inc.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC