[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Groups - authentication-context.pdf uploaded
On 15 October, Anthony Nadalin writes: Re: [security-services] Groups - authentication-context.pdf uploaded > John, > > >I think there are subtle differences between authentication method, > authentication context, and what I will call authentication context > policy: > > Basically you have the right direction, you may have missed the point that > the domain specific policies in WS-Policy can be attestations, thus policy > can attest to authentication method and form the authentication context. I have posted the following to the XACML TC: From: Anne Anderson <Anne.Anderson@sun.com> Date: Thu, 16 Oct 2003 11:53:15 -0400 To: XACML TC <xacml@lists.oasis-open.org> Subject: [xacml] [WSPL] Do attestations belong in policy? I strongly object to the idea of including "attestations" within the scope of a policy language. "Attestations" are not "policies". A policy may be predicated on attestations, but does not provide attestations. For example, a policy makes statements of the form "If you have an authenticated attestation from a trusted attestor that you have logged in using a smart card then you are allowed to access operation Z of service Y". A policy does not make statements of the form "The issuer of this policy attests that Subject X has logged in using a smart card". "Attestations" are "assertions". They are handled by SAML in the XML standards world, and by X.509 Attribute Certificates in the X500 world, as examples of two well accepted standards. A policy language should have a way of referencing or describing attestations (such as XACML's Request Context), but the policy language does not supply the attestations that a policy references and is not a way of making attestations. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]