RE: Requirement for Isolated Request for Authorization Atributes

[Philip Hallam-Baker <pbaker@verisign.com>]

I think this case will turn up frequently in the Web server delegated
Authorization case.

I don't think that we should enforce the idea that the issuer of
authorization assertions has to be in any way required to be involved in
authentication. 

If public key cryptography is used as the basis for authentication the
concept of 'login' is irrelevant. Each party performs strong authentication
with each other party it contacts on a per transaction basis. A key exchange
to establish a shared secret may be employed as an optimization, but this
does not consitute a 'login' per se.

Another case in which the requirement would occur is in offline batch
processing. For example, in an auction the participants all submit their
bids to the auctioneer during the auction. At the close of the auction the
auctioneer takes the highest bid and attempts to complete the transaction.
This might involve verifying the participant's current authority to execute
the transaction which may have changed since the time the bid was made.

The concept of 'session' and 'login' is not a helpful one with respect to
authorization. It is specifically a feature of authentication credentials.


Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Monday, March 12, 2001 10:19 AM
> To: 'security-use@lists.oasis-open.org';
> 'security-core@lists.oasis-open.org'
> Subject: Requirement for Isolated Request for Authorization Atributes
> 
> 
> In last week's Core Assertions concall there was some 
> discussion about the
> idea of requesting Authorization Attributes for a user who is 
> not currently
> logged in. I have a recollection of someone on a Use Case 
> concall a few
> weeks ago saying this was an important requirement. 
> Unfortunately I do not
> remember who it was. It was pointed out that the current use 
> cases do not
> contain this element.
> 
> Obviously a request of this type could be used as a performance
> optimization, but does someone have another scenario in mind? 
> I hope no one
> is planning to use SAML for provisioning. Based on current 
> thinking, I don't
> think this will work.
> 
> As I was writing this, I realized that perhaps what was intended was a
> business transaction scenario, for example: UC-2-08:ebXML, 
> currently in the
> issues list. In this case, the PDP may retrieve the 
> Authorization Attributes
> after having received an ebXML message from the user.
> 
> Are there any other use cases which involve the request of 
> Authorization
> Attributes when an Authentication Assertion has not 
> previously been issued?
> 
> Hal
> 
> 
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: 
> security-core-request@lists.oasis-open.org
>

Phillip Hallam-Baker (E-mail).vcf