OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

soa-rm-ra message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: soa-raf-v1 0-wd08.doc


All,

I've made some changes to my additions based on Boris' comments and some of Michael's.. Michael has a significant amount of comments throughout the entire security section, and it is hard to know where to begin.. I will send a note to him directly related to some of these.

-Kevin

On Tue, Jul 10, 2012 at 11:37 AM, Lublinsky Boris (Nokia-LC/Chicago) <boris.lublinsky@nokia.com> wrote:

I think its better,

I would still prefer to take

  1. Loss of Context. Could an assertion of identity that was created for one purpose be maliciously used or unintentionally used for another purpose? [N1] [N2] Could someone, for example, use a signed claim about a user's identity to empty the user's bank account, when the issuer of the claim only intended it to be used for another purpose?

On a separate level

 

From: ext Kevin Smith [mailto:kevintrentsmith@gmail.com]
Sent: Tuesday, July 10, 2012 5:15 AM
To: Lublinsky Boris (Nokia-LC/Chicago)
Cc: Peter F Brown; soa-rm-ra@lists.oasis-open.org; Ken Laskey (klaskey@mitre.org)
Subject: Re: soa-raf-v1 0-wd08.doc

 

Thanks Boris!

I responded to your comments and include some edits, attached.

Thanks,

Kevin

On Mon, Jul 9, 2012 at 10:03 PM, Lublinsky Boris (Nokia-LC/Chicago) <boris.lublinsky@nokia.com> wrote:

Comments to Kevin’s additions

 


The information contained in this communication may be CONFIDENTIAL and is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please notify the sender and delete/destroy the original message and any copy of it from your computer or paper files.

 


 [N1]The only generic way is support multiple identities schema – one for specific context. It has nothing to do with who vouches

 [N2]If the assertion has explicit conditions of use (similar to saml:Conditions or a policy that travels with the request) this is a good way to do this. Another way would be the use of Authorization Assertions with chained authorizations (Company gives Boris authority to sign Kevin’s timecard, Boris goes out of town, and delegates authority to Ken to sign Kevin’s timecard; Ken passes on the chain of authorizations when he signs the timecard)



However, at this point, I



The information contained in this communication may be CONFIDENTIAL and is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please notify the sender and delete/destroy the original message and any copy of it from your computer or paper files.

Attachment: soa-raf-v1 0-wd08-borisKTS.doc
Description: MS-Word document



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]