RE: [wsrp][security] High-level scenario

["Cassidy, Mark" <mcassidy@Netegrity.com>]

Reauthenticating the end user was not the intent in this scenario.  The
important thing here is that the remote service does need to be able to
verify the identity of the *portal* that is proxying the request on behalf
of the end user.  

Whether the end user's identity is included in the request is going to be
driven by the requirements of the remote service(i.e. a role might be passed
or some other attribute, not the identity of the end user).  I thought I
heard in the meeting that some vendors want to get this information.  I
would think it should be possible but not mandated.

Probably need to tweak some of the text in the scenario, but intent is
actually pretty aligned with the perspective conveyed by your comments.
Also, I expect that there are going to be a number of scenarios that our
constituents will be interested in.  This was just one example to get the
discussion going.

-----Original Message-----
From: PAVLIK,GREGORY (HP-NewJersey,ex2) [mailto:gregory_pavlik@hp.com]
Sent: Tuesday, April 02, 2002 2:38 PM
To: 'wsrp@lists.oasis-open.org'
Subject: RE: [wsrp][security] High-level scenario


A couple of quick observations:

The text seems to imply an independent re-authentication of the user within
the WSRP service infrastructure after the portal has authenticated the user.
This is something that we will want to avoid if possible. For example, the
WSRP service made have a trust relationship defined with respect to the
client asserting forward it's identity.

It's not clear to me that the portal should necessarily send the users
identity and the portal identity. Does this case simply imply that we need
to support this but not mandate it? It's easy to imagine use cases where
where a business relationship between the portal provider and the WSRP
service provider is based on the two business entities independent of the
client identity; in such cases, it's possible that the client, for privacy
reasons, does not want to identified or tracked, or that the business
hosting the portal does not want individual users tracked.

Is this one of many scenarios that we'll be looking at?

Greg

-----Original Message-----
From: Cassidy, Mark [mailto:mcassidy@Netegrity.com]
Sent: Tuesday, April 02, 2002 3:42 PM
To: 'wsrp@lists.oasis-open.org'
Subject: [wsrp][security] High-level scenario


Please see the attached high-level scenario outlining security
considerations.  This is intended to be a seed for discussion in tomorrow's
telecon; additional scenarios need to be identifed and then fleshed out with
more details.  As was mentioned in today's joint wsia/wsrp interfaces call,
we should be looking at other standards efforts in the security space(SAML,
etc) and how they can address the needs we define in the WSRP context.
Ideally we could leverage those efforts and not need to invent anything that
is specific to WSRP.

Comments?

 <<WSRP Security Scenario.doc>> 

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>