OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] OpenID SimplePermissions and SAML constrained delegation

On Mon, Jun 30, 2008 at 11:39 AM, Eve Maler <Eve.Maler@sun.com> wrote:
> And the grid community does this with web services use cases (a simpler form
> of what ID-WSF is doing with its WS-Sec profiles?):
> http://www.cs.virginia.edu/papers/SAML_delegation.pdf

Despite what is claimed in this paper, X.509 proxy delegation is
nearly universal within the grid community.  Certainly this is the
case in the US, and I claim it is generally true in production grids

In proxy delegation, Eve would issue a proxy certificate containing
her name but with Brian's key, which of course Brian would use to
impersonate Eve in the grid.  However, this is a totally different use
case than OpenID "SimplePermissions" or Scott's early notion of
constrained delegation.

> Is there any interest in tackling the user/browser side of all this for SAML
> in an OpenID SimplePermissions-like fashion?  Is there value in
> standardizing a modular "assertion profile" (for use with various
> scenario-based profiles) for holding the delegation info?

Yes, I'm interested in this since it provides a bridge from the SAML
world into the grid.  In particular, if it can be done without query
or ID-WSF, I'm even more interested.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]