OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Groups - authentication-context.pdf uploaded

If there was one gap that I wish would be addressed is the need for cached
Authorization assertions.   I think WS-Policy gets to the point of starting
to try and address the "Expressive" aspects of an Authorization Policy but
I believe that the results of these evaluations can be stored as Assertions
in the SAML token.  This architecture could be used to capture the results
of a policy determination and can act as a "Cache" in the SAML token for
storing the results of an authorization evaluation for a specified scope
(could be just this one transaction, period of time, etc.)   Building out
the SAML token to hold Assertions about a users ability to Access or Use a
certain resource would be a very powerful capability.   This could have a
significant impact on performance (in a good way) and increase the
interoperability and productivity of an entire system.

Systems could use the token to not only store assertions of identity but
could also act as a cache of authorization assertions under a specific
policy set.

I would really like to see the next version address this set of
requirements.   The ability for the token to contain authorization
information - maybe in a separate branch of the token.  This is much
broader than Liberty and maybe this isn't the right place but Tony's
comments sparked my memory of a system I designed for a VERY LARGE
corporate enterprise security system to address authentication and
authorization.   The Token cache idea was a big success and the performance
impact was amazing to my surprise.

Bill Haase
   Security and Privacy SME
   National Sales Engineering Team
   Tivoli Security & Privacy Software
   Internet: whaase@us.ibm.com
   AOL IM: BillHaase

   Tivoli Software Products, an IBM Company
   5475 Rings Road, Suite 300, Dublin, Ohio, 43017
   Office: (614) 659-7427  **Cell: (614) 348-4297

"The box said NT 4.0 or better, so I loaded it on my Linux Server"
IBM is #1 in Security Software =>

                      Nadalin/Austin/IB        To:       <security-services@lists.oasis-open.org>                                      
                      M@IBMUS                  cc:                                                                                     
                                               Subject:  Re: [security-services] Groups - authentication-context.pdf uploaded          
                      10/17/2003 09:37                                                                                                 

>A separate question might be whether there is some overlap between the
Authentication Context specification and WS-Policy. At this point, I  don't
know if that >question is being addressed within SSTC.

I believe that there is a valid requirement , not sure if its a
authentication context or a more generalized concept such as WS-Policy
where one can express scope, preconditions, business value and decision

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]