OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - SAML shared credential (draft-saml-shared-credential-discussion-01.doc) uploaded

This does not seem to be completely thought thru. At least not all of
the use cases have been considered. I am not convinced the concept of a
shared credential is even well defined. You seem to take the view that
the "natural" form of an identity is for is to refer to a single
biological human being. You consider only the case where security policy
permits credentials to be explicitly issued to represent more than one
human being.

What about a certificate that represents the BEA Systems Corporation?
What about a credential that represents the purchasing department of
BEA, which might have one person or several? What about the office of
the CTO? Or the CTO, whose decisions might be made by person or a
committee and whose key might actually be used by his secretary or when
she is on vacation, a temp?

What about the identity a web server? Or replicated web servers on
different continents? Or processor blades in a box? 

I believe that the underlying concept that is important is the notion of
an "Accountable Identity". Sometimes this will be an organization or a
group, sometimes it will be an individual. One common case is that a
composite identity (shared identity if you will) is sufficient for
Authorization decisions, but an accountable identity is required for
Audit trail. In other cases, such as the usecase cited, it may be
necessary to obtain the accountable identity before acting on a request.

I feel strongly that that this property of being or not being an
accountable identity is an abstract property of the identity and is not
related to an authentication act. Naturally the Issuing Party will use a
policy for distributing passwords or keys that corresponds to its notion
of the type of identity in question. In short, I see this property as
just another attribute of the subject.

This brings me to my proposed approach. Why not use an attribute
statement to indicate the Issuing Party's belief about the type of
identity it is? (or course nobody can prevent you from sharing your
password with your friend) Then we should be able to use existing
machinery, such as an attribute query to say, I need the accountable
identity that is associated with this request, here is the composite


> -----Original Message-----
> From: ashish.patel@rd.francetelecom.com
> [mailto:ashish.patel@rd.francetelecom.com]
> Sent: Wednesday, January 18, 2006 1:36 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Groups - SAML shared credential
> shared-credential-discussion-01.doc) uploaded
> The submitted shared credential document is an outcome of joint
> between NTT and France Telecom regarding common set of requirements
> potential solutions.
> The purpose of the submission is to discuss the possible solutions
> SAML TC members and conclude an approach by leveraging any relevant
> done in past such as Extensions draft submitted by Scott Cantor [1].
> The document explores the solutions for a use case where a user gets
> authenticated based on a credential which does not uniquely identify
> user (phone at home, PPPoE connection etc.) and IDP is unable to
> anything beyond the fact that the user was one of the set of
> that shared that credential. An SP may deem such an assertion as
> insufficient for enabling access to resources associated with a
> individual identity and so may request from the IDP an assertion
> characterized by a credential unique to that individual.
> [1]
> http://www.oasis-
> open.org/apps/org/workgroup/security/download.php/15207/draft-saml-
> protocol-ext-01.pdf
> -
> Ashish Patel
> France Telecom
>  -- Mr Ashish Patel
> The document named SAML shared credential
> (draft-saml-shared-credential-discussion-01.doc) has been submitted by
> Ashish Patel to the OASIS Security Services (SAML) TC document
> Document Description:
> This document explores the shared credential use case and proposes a
> extension that would allow a SP to manage authentications
distinguished by
> whether or not the authentication credential is shared or not.
> View Document Details:
> http://www.oasis-
> open.org/apps/org/workgroup/security/document.php?document_id=16297
> Download Document:
> http://www.oasis-
> credential-discussion-01.doc
> PLEASE NOTE:  If the above links do not work for you, your email
> application
> may be breaking the link into two pieces.  You may be able to copy and
> paste
> the entire link address into the address field of your web browser.
> -OASIS Open Administration

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]