[acs-wg] Security

[Michael Behrens]

<>I was able to talk with Rebekah last week.  She is not currently 
involved with GGF however she worked on a security issue using grids for 
her Masters and was involved with the OGSA-Auth-WG at that time.  She is 
an OASIS member and has participated in the security groups.

The entire WS security architecture seems overly complex to me and is 
focused on static definitions or rules.  There are some efforts to 
simplify the process with a new spec called WSPL - we'll need to 
research that.

If a "service" wants to enforce access, then SAML+XACML can be used.  
Some services would most likely provide their own policy enforcement 
point (PEP), requiring that the service provide an auxillary service 
which would be SAML compliant.  Therefore, it seems that an ACS 
implemetnation might need to implement one. 
<>
It seems that "attributes" are more important than identity and roles in 
the WS Security mindset.  I believe the thought is that roles are just 
other attributes and identity is a unique set of attributes. Someone 
please correct me here if this is wrong or overly simplified.   This 
contrasts with the J2EE world where roles can be declared by the web.xml 
and then used externally to block requests or within the authenticated 
request processing internally for authorization decisions 
(isUserInRole() method).

Whether or not an ACS implementations provides a PEP service might be 
irrelavant as long as the provided XACML can be passed along and 
processed - so perhaps it can be just an implemtation detail and our 
spec only needs to ensure that a security policy document (using a 
generic term) can be supplied and updated.
 
References:
http://research.sun.com/projects/xacml/wspl_intro.pdf
http://sunxacml.sourceforge.net

-- 
Michael Behrens
R2AD, LLC
(571) 594-3008 (cell) *new*
(703) 714-0442 (land)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/acs-wg/attachments/20050806/a5cc6666/attachment.htm