[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Requirement for Isolated Request for Authorization Atributes
> -----Original Message----- > From: Edwards, Nigel [mailto:Nigel_Edwards@hp.com] > I believe we were talking about 1. > > To build a usable system, 2 needs to be given some thought. > Otherwise you > have little choice but to enable all your power, all the time. To me > this is an issue of being able to manage your assertions and > authorizations. I think that the approach has to be much more streamlined. No user is going to be able to cope with more than about three distinct 'power levels'. The impact on SAML as I see it is providing for the correct request and response data. So Alice asks for the 'Nuclear Missile Launch Page' The server responds 'Alice is authorized to launch missles but only in her role ARMAGEDON' which is not enabled Alice is told to authenticate herself for ARMAGEDON Alice thinks better of the idea and buys a pay per view movie instead. > I have worked on MLS unix systems in which the power of root was > broken into 50 or so privileges. The concept of "least-privilege" > says an entity should only be given the minimum privilege set it > needs to do its work. So before you fork your application you > drop all but the privileges it needs. Unfortunately, figuring > out the minimum set is hard - there is no way to automate it > (that I know of). This is one of the things that makes development > on such systems challenging. Figuring out the minimum set is hard, however figuring out a set that prevents virus or worm propagation is not too difficult. > If we believe (which I do) that you can't depend on hiding assertions > for your security. The only way I can think of doing this is > for an entity > to have multiple principle identities. Powerful identities > would be enabled > (authenticated) only rarely: key material could be stored in > separate key > stores. > As you point out, this kind of thing is somewhat clunky. Alice would > presumably have > her $12M key in a smart card, only rarely would that smart > card be plugged > into any > system. It is very close to being another principal. However I think that the ability to say to Alice "Enable Armagedon Priv" requires some information to specify that the various principle identities all map to the same person. Phill
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC