RE: Requirement for Isolated Request for Authorization Atributes

["Orchard, David" <dorchard@jamcracker.com>]

Evan, I can roughly see where you're going.  But from a guy trying
desparately to clearly define terms and relationships, I'm still really
confused.  The detailed questions:

I don't see the term "policy assertions" in the glossary.  Is this security
policies?  

I don't see the term "authorization assertion" used in your explanation, as
in the glossary definition 'the user "noodles" is granted "execute"
privileges on the resource "/usr/bin/guitar."'  Is this what you meant by
"authorization decision"?

How do these relate to the term "authorization policy decision"?  Is this an
authorization decision?

Does the authentication assertion have 2 states: without authorization
attributes and with authorization attributes?  Or are these different
constructs?

Dave

> -----Original Message-----
> From: Evan Prodromou [mailto:evan@outlook.net]
> Sent: Monday, March 12, 2001 7:00 PM
> To: Orchard, David
> Cc: Hal Lockhart; 'security-use@lists.oasis-open.org';
> 'security-core@lists.oasis-open.org'
> Subject: Re: Requirement for Isolated Request for Authorization
> Atributes
> 
> 
> >>>>> "OD" == Orchard, David <dorchard@jamcracker.com> writes:
> 
>     OD> Pardon my gross ignorance, but is requesting authorization
>     OD> attributes roughly equivalent to requesting policies?  So
>     OD> would it be that SAML defines a carrier for whatever XACL
>     OD> defines for ACLs?
> 
> David,
> 
> The way we've defined "authorization attributes" is that they are
> attributes of the subject which are used to make authorization
> decisions -- such as group membership, role, organization, identity,
> etc. This could easily be stretched to include practially any profile
> information, e.g., to get to the Left Handers' Club Web site, I need
> to have an attribute saying that I'm left-handed.
> 
> (I think the reason these are called authz attributes rather than
> authz assertions is that they may not be a separate assertion at
> all. Rather, they may be bound into an authn assertion -- part of an
> authenticating party's output would be putting together these authz
> attributes, and binding them to the authenticated party.)
> 
> What you're talking about, we've called "policy assertions" -- e.g.,
> asserting the rule that, if the subject has the left-handedness
> authorization attribute, they may enter the Left Handers' Club Web
> site.
> 
> One last type of authz assertion is "authorization decisions" -- the
> statement that, "I, Policy Decision Point, checked the rules and
> hereby grant 'Evan Prodromou' entry to the 'Left Handers' Club Web
> site'." It doesn't state the criteria for making the decision, it just
> says that the decision was made. So when the PEP for the LHC Web site
> questions me, I can wave the authz decision in its face and go on my
> way.
> 
> Does that all make sense?
> 
> ~ESP
> 
> 
> 
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: 
> security-use-request@lists.oasis-open.org
>