[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [WSPL] Do attestations belong in policy?
I strongly object to the idea of including "attestations" within the scope of a policy language. "Attestations" are not "policies". A policy may be predicated on attestations, but does not provide attestations. For example, a policy makes statements of the form "If you have an authenticated attestation from a trusted attestor that you have logged in using a smart card then you are allowed to access operation Z of service Y". A policy does not make statements of the form "The issuer of this policy attests that Subject X has logged in using a smart card". "Attestations" are "assertions". They are handled by SAML in the XML standards world, and by X.509 Attribute Certificates in the X500 world, as examples of two well accepted standards. A policy language should have a way of referencing or describing attestations (such as XACML's Request Context), but the policy language does not supply the attestations that a policy references and is not a way of making attestations. Anne ------- start of forwarded message ------- From: Anthony Nadalin <drsecure@us.ibm.com> To: <security-services@lists.oasis-open.org> Subject: Re: [security-services] Groups - authentication-context.pdf uploaded Date: Wed, 15 Oct 2003 21:09:32 -0500 John, >I think there are subtle differences between authentication method, authentication context, and what I will call authentication context policy: Basically you have the right direction, you may have missed the point that the domain specific policies in WS-Policy can be attestations, thus policy can attest to authentication method and form the authentication context. Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]