OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Requirement for Isolated Request for Authorization Atributes

> -----Original Message-----
> From: Edwards, Nigel [mailto:Nigel_Edwards@hp.com]
> I believe we were talking about 1.
> To build a usable system, 2 needs to be given some thought. 
> Otherwise you
> have little choice but to enable all your power, all the time. To me
> this is an issue of being able to manage your assertions and 
> authorizations.

I think that the approach has to be much more streamlined. No user
is going to be able to cope with more than about three distinct
'power levels'.

The impact on SAML as I see it is providing for the correct request
and response data.

So Alice asks for the 'Nuclear Missile Launch Page'
The server responds 'Alice is authorized to launch missles but only in
her role ARMAGEDON' which is not enabled
Alice is told to authenticate herself for ARMAGEDON
Alice thinks better of the idea and buys a pay per view movie instead.

> I have worked on MLS unix systems in which the power of root was
> broken into 50 or so privileges. The concept of "least-privilege"
> says an entity should only be given the minimum privilege set it
> needs to do its work. So before you fork your application you
> drop all but the privileges it needs. Unfortunately, figuring
> out the minimum set is hard - there is no way to automate it
> (that I know of). This is one of the things that makes development 
> on such systems challenging.

Figuring out the minimum set is hard, however figuring out a
set that prevents virus or worm propagation is not too difficult.

> If we believe (which I do) that you can't depend on hiding assertions 
> for your security. The only way I can think of doing this is 
> for an entity
> to have multiple principle identities. Powerful identities 
> would be enabled
> (authenticated) only rarely: key material could be stored in 
> separate key
> stores.
> As you point out, this kind of thing is somewhat clunky. Alice would
> presumably have
> her $12M key in a smart card, only rarely would that smart 
> card be plugged
> into any
> system.

It is very close to being another principal. However I think that
the ability to say to Alice "Enable Armagedon Priv" requires some
information to specify that the various principle identities all
map to the same person.


Phillip Hallam-Baker (E-mail).vcf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC