OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: Authorization Server Protection Profile Public Review

This will be of interest to many members of the SAML and XACML TC's.


-----Original Message-----
From: Norwood, Charles J [mailto:CHARLES.J.NORWOOD@saic.com]
Sent: Wednesday, August 20, 2003 11:27 AM
To: Paul Townsend (E-mail); Rob Philpott (E-mail); Randy Bowman
(E-mail); 'teoakley@us.ibm.com'; 'mark.burns@entegrity.com';
'pmorrison@netegrity.com'; 'pmishra@netegrity.com';
'Jeff.Hodges@sun.com'; 'eve.maler@sun.com'; 'sanderson@opennetwork.com';
'john.hughes@entegrity.com'; 'hlockhar@bea.com';
'Irving.Reid@baltimore.com'; 'cknouse@oblix.com';
Cc: Troy L Young (E-mail); Wiser, Mickie K.
Subject: Authorization Server Protection Profile Public Review

To All,

	NSA's Information Assurance Directorate (IAD) and the Information
Technology Infrastructure Services (ITIS) organizations have jointly
sponsored the development of an Authorization Server Protection Profile for
the Basic Robustness Environments.   The draft of this document has
undergone internal NSA review and is now ready to be posted on the IAFT
website for public review and comment.  Although the document should be
available soon at https://www.iatf.net/protection_profiles/profiles.cfm, I
wanted to send an advance copy to companies which have authorization server
or identity management products to make sure it was thoroughly vetted
through the industry.   I obtained your names and e-mail address from
various sources (previous contacts, company websites, and the OASIS Security
Services TC mailing list).  I recognize you may not be the correct person in
your company to review this document, therefore I would appreciate your
forwarding to others in your company for review.

	One of the challenges in drafting this document was describing a
generic authorization server in the Target of Evaluation (TOE) description
since there are may different approaches to implementing this service. The
approach I have described is one with a central (or distributed)
authorization decision engine and agents on web servers.   I recognize that
some implementations use alternative technology, like attribute
certificates, or have the authorization decision engines collocated with the
web server.  Regardless of the implementation, I believe most of the
functional security requirements should be the same.  I would appreciate
your insight on this issue.

	The public comment period for this document is going to be 30 days
from when it is posted.   Assuming it will be posted soon, I would like to
have your comments by 22 September 2003.  Please send comments via e-mail to
myself (Charles.J.Norwood@saic.com) and the IAD Sponsor, Troy Young
(TLYoun2@missi.ncsc.mil).   If you desire to discuss the document with me, I
can be reached at the numbers below.

	 Hopefully this document will help companies who desire to obtain
NIAP evaluations to meet the NSTISSP #11 requirements for selling products
to the U.S. Government for use in national security systems.

		 Thanks in advance for your help,

			   Chuck Norwood


Charles J Norwood
Senior Systems Security Engineer
SAIC Secure Business Solutions Group
410-953-6835   -  Mobile 301-641-2132


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]