[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] REST Profile wd04 - Security
Jean-Paul, > -----Original Message----- > From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On > Behalf Of Mr. Jean-Paul Buu-Sao > Sent: Wednesday, May 23, 2012 5:07 PM > To: xacml@lists.oasis-open.org > Subject: [xacml] REST Profile wd04 - Security > > I have added some suggested additions around <<...>> markers below: > > [...] This section describes some additional considerations that have > to do with the networked nature of a RESTful architecture<<, together > with the administrative capabilities setout by this profile>> > > 3.2 Authentication > HTTP status code 401 (Unauthorized) [HTTP] MAY be used to indicate that > an operation on a resource is denied because the <<requestor>> is not > authenticated > Note: replaced user by requestor because the profile is likely to be > used by non-human users as well Yes, good one. > Authentication means: You can mention Digest authentication, but then > other mechanisms should be mentioned as well, in a non normative way. > Example: federated authentication via SAML token The current text contains the following: "Additional standards like [OpenID], [SAMLv2] or [SASL] MAY be used instead of or in addition to HTTP Digest authentication." Is that not what you're looking for? > 3.3 Authorization > I suggest to add something along the lines: <<Implementations can > perform authorization based upon the identity of the requestor, as well > as on any appropriate additional, trusted, attribute>> (hence the > importance of mentioning federation above) > > "This specification RECOMMENDS that authorization be implemented using > XACML" is a correct statement but still is too vague. I suggest that > you have a specific section on constrained delegation that the > implementations must support, in order to authorize appropriate > administrative actions (such as: delete all versions of a policy set, > to your example). > The REST profile does not need to mandate constrained delegation, but > this model IMO should be recommended on all PAP actions I'll add something to that extent. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]