Ernesto
certainly got my point.
There
is some confusion within SAML itself regarding AuthZ and AuthN. AuthZ is one
area of clear overlap. However, the information contained in AuthN, i.e.
authentication events and protocols, could be quite relevant to establishing
policy, e.g. allow access if the protocol was X9.9. One would hope that the
representation of such data would be similar, even if the information is
communicated in separate containers.
Perhaps
someone from security-services could
clarify.
Simon Y. Blackwell
CTO
Psoom, Inc.
Voice & Fax:
415-762-9787
-----Original
Message-----
From: ernesto
damiani [mailto:edamiani@crema.unimi.it]
Sent: Thursday, March 01, 2001 10:15
AM
To: Simon Y. Blackwell;
'Xacml-Discuss (E-mail)
Subject: XACML scope w.r.t.
SAML
I believe
some interesting observations can be made starting from this excerpt of
Simon's last message:
"Allow
<subject> to <verb> <object> only if they
logged in
using an X9.9 Challenge-Response."
[sblackwell] LARGE PORTION OF MESSAGE
DELETED FOR BREVITY
[R-AuthN]
SAML should define a data format for authentication assertions, including
descriptions of authentication events. This includes time of authentication
event and authentication protocol.
[R-AuthZ]
SAML should define a data format for authorization attributes. Authorization
attributes ("authz attributes") are attributes of a principal that are used to
make authorization decisions, e.g. an identifier, group or role membership, or
other user profile information.
I believe that the second requisite is
aimed at prescribing how to represent <subject>, so there is a strong
overlapping here. am I right?
As for the first requirement, honestly I
am not sure I fully understand it. Are "description of authentication events"
prescriptions about authentication algorithms, as in the "only if" part of our
initial example?
If this is the case, this is outside our
scope and could be dealt with in a separate namespace.
I am inclined to think that separate
namespaces should be defined for the XML-AC language itself (Allow
<subject> to <verb> <object> ) and for the prescription of
authentication techniques and the like. But perhaps I got the second
requirement wrong..
Best regards
Ernesto