Subject: RE: [security-services] proposed definition: "security context"
As I read this text, it seems to say (loosely paraphrasing) that a message's security context is the combination of two things: (a) certain contents of that message, and (b) a set of underlying mechanisms that protect that message. These are important, but I believe there's also an important (c): state information derived and held by the peers that communicate the message, such as keys used for message validation, which won't appear in the message itself. Absent this (c), one could conclude that two entities that receive a message and process it using the same protocols would necessarily be interpreting it in conjunction with the same security context (and, hence, drawing the same conclusions about it), which isn't the result I'd expect. --jl -----Original Message----- From: Jeff Hodges [mailto:Jeff.Hodges@Sun.COM] Sent: Wednesday, July 28, 2004 7:39 PM To: oasis sstc Subject: [security-services] proposed definition: "security context" security context With respect to an individual SAML protocol message, the security context is the semantic union of the message's security header blocks (if any) along with other security mechanisms that may be employed in the message's delivery to a recipient. With respect to the latter, an example is security mechanisms employed at lower network stack layers such as HTTP, TLS/SSL, IPSEC, etc. With respect to a system entity, "Alice", interacting with another system entity, "Bob", a security context is nominally the semantic union of all employed security mechanisms across all network connections between Alice and Bob. Alice and Bob may each individually be, for example, a provider or a user agent. This notion of security context is essentially the same as the notion of "security contexts" as employed in the Distributed Computing Environment [DCE], for example. --- end To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.