[Nsi-wg] Question about message attrbutes..
Jerry Sobieski
jerry at nordu.net
Mon Aug 8 15:01:11 CDT 2011
John - this may be for you...
In reviewing this issue on the RA/PA... I went looking at the UML doc
Guy circulated as it is a bit easier to read than the raw WSDL...
The messages all have the requesterNSAID and the providerNSAID fields,
directly folowed by the "sessionSecurityID". This is the only field I
see for security attributes.
I thought our conclusion was that there would be two security layers: a
NSA _/session/_ level authentication/authorization credentials, and a
/_request_/ level authorization credential that would authorize the
particular action requested relative to the resource or information
context of the request. Does this sessionSecirity field do double duty
authenticating the remote NSA *and* authorizing the particular service
request?
I trust the MTL to authenticate the messaging, as the NSI layer should
never see messages from an unauthenticated NSA. But the NSI layer does
need the authorization credentials in order to properly evaluate the
primitive... The authorization of an NSI request is not an MTL
function. So I am just a bit unsure how this field is planned to be
used within the WSDL.
Thoughts/Comments?
Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/nsi-wg/attachments/20110808/86986773/attachment.html
More information about the nsi-wg
mailing list