[Nsi-wg] Question about message attrbutes..
Inder Monga
imonga at es.net
Mon Aug 8 22:33:59 CDT 2011
Jerry and John,
>> NSA-to-NSA authorization is a local implementation issue based on the
>> establishment of trust, however, I believe Mary's accepted proposal
>> was to do user based authorization on each message using the user
>> context provided in the security parameters.
> Hmm...This sounds rather murky. What do you mean based on
> establishment of trust? If you mean an NSA is free to accept or
> reject another NSA's session on purely local whim (i.e. arbitrary
> local policy) then we should be specific and clear about it. (BTW-
> I actually agree with this:-)
Trust could be based on a simple thing as "administrative configuration"
or more extensive process?
Inder
>
> I presume then that there is a userid in the sessionSecurityID field
> somewhere? Can we spec this out in detail for the coders what the
> "user" authorization profile info will look like in the security
> attribute?
>
>> We really do not have the concept of a long duration session in the
>> NSI protocol. Each message exchange is a discrete event in which an
>> NSA can connect, authenticate, send, and tear down the transport.
> Ok, this makes me fidgety, but its not an issue at the moment.
>
> Thanks for elaborating...all is clearer now.
> Jerry
>>
>> John.
>>
>> On 2011-08-08, at 4:01 PM, Jerry Sobieski wrote:
>>
>>> John - this may be for you...
>>>
>>> In reviewing this issue on the RA/PA... I went looking at the UML
>>> doc Guy circulated as it is a bit easier to read than the raw WSDL...
>>>
>>> The messages all have the requesterNSAID and the providerNSAID
>>> fields, directly folowed by the "sessionSecurityID". This is the
>>> only field I see for security attributes.
>>>
>>> I thought our conclusion was that there would be two security
>>> layers: a NSA _/session/_ level authentication/authorization
>>> credentials, and a /_request_/ level authorization credential that
>>> would authorize the particular action requested relative to the
>>> resource or information context of the request. Does this
>>> sessionSecirity field do double duty authenticating the remote NSA
>>> *and* authorizing the particular service request?
>>>
>>> I trust the MTL to authenticate the messaging, as the NSI layer
>>> should never see messages from an unauthenticated NSA. But the NSI
>>> layer does need the authorization credentials in order to properly
>>> evaluate the primitive... The authorization of an NSI request is not
>>> an MTL function. So I am just a bit unsure how this field is
>>> planned to be used within the WSDL.
>>>
>>> Thoughts/Comments?
>>> Jerry
>>> _______________________________________________
>>> nsi-wg mailing list
>>> nsi-wg at ogf.org <mailto:nsi-wg at ogf.org>
>>> http://www.ogf.org/mailman/listinfo/nsi-wg
>>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/nsi-wg
> ------------------------------------------------------------------------
>
> John MacAuley <mailto:john.macauley at surfnet.nl>
> August 8, 2011 4:38 PM
>
>
> Jerry,
>
> We delegated the issue of NSA-to-NSA authentication to the transport
> layer. We will also validate message integrity and that the message
> is coming form the expected NSA. NSA-to-NSA authorization is a local
> implementation issue based on the establishment of trust, however, I
> believe Mary's accepted proposal was to do user based authorization on
> each message using the user context provided in the security
> parameters. We really do not have the concept of a long duration
> session in the NSI protocol. Each message exchange is a discrete
> event in which an NSA can connect, authenticate, send, and tear down
> the transport.
>
> John.
>
>
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/nsi-wg
> ------------------------------------------------------------------------
>
> Jerry Sobieski <mailto:jerry at nordu.net>
> August 8, 2011 1:01 PM
>
>
> John - this may be for you...
>
> In reviewing this issue on the RA/PA... I went looking at the UML doc
> Guy circulated as it is a bit easier to read than the raw WSDL...
>
> The messages all have the requesterNSAID and the providerNSAID fields,
> directly folowed by the "sessionSecurityID". This is the only field
> I see for security attributes.
>
> I thought our conclusion was that there would be two security layers:
> a NSA _/session/_ level authentication/authorization credentials, and
> a /_request_/ level authorization credential that would authorize the
> particular action requested relative to the resource or information
> context of the request. Does this sessionSecirity field do double
> duty authenticating the remote NSA *and* authorizing the particular
> service request?
>
> I trust the MTL to authenticate the messaging, as the NSI layer should
> never see messages from an unauthenticated NSA. But the NSI layer
> does need the authorization credentials in order to properly evaluate
> the primitive... The authorization of an NSI request is not an MTL
> function. So I am just a bit unsure how this field is planned to be
> used within the WSDL.
>
> Thoughts/Comments?
> Jerry
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/nsi-wg
--
Inder Monga
510-486-6531
http://www.es.net
Follow us on Twitter: ESnetUpdates/Twitter <http://bit.ly/bisCAd>
Visit our blog: ESnetUpdates Blog <http://bit.ly/9lSTO3>
Facebook: ESnetUpdates/Facebook <http://bit.ly/d2Olql>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/nsi-wg/attachments/20110808/66d000b0/attachment.html
More information about the nsi-wg
mailing list