[OGSA-AUTHZ] Comments on ogsi authz requirement document
Olle Mulmo
mulmo at pdc.kth.se
Fri Jan 13 13:42:39 CST 2006
More than 3 weeks have gone by now without any reactions to Von's
reply: I suggest to update the AuthZ requirements document with the
additional bullet item as suggested by Von below and then move it on
to editor for publication.
/Olle
On Dec 21, 2005, at 23:10, Von Welch wrote:
>>
>> []Should the user authenticate to the Authorization service before
>> submitting
>> "AUTHORIZATION DECISION REQUEST" to the authorization service or
>> should the authentication be a part of the request. We dont want
>> someone requesting
>> on others behalf. I guess this is related to the push mode.
>
> I agree that authorization services should have some notion of
> policy in regards to whom can request policy decisions. How about
> added a new bullet to this section (section 5):
>
> * Access Control to Authorization Decisions: For reasons of
> security and privacy, authorization services should be capable of
> enforcing access control on who can request authorization
> decisions. In the simplest incarnation, authorization services
> should be configurable so that they only answer queries from a set
> of trusted target resources. More complex implementations could
> allow for finer-grained policy based on the initiator and request.
> Some implementations may even want to require proof of that an
> initiator requested an action in order to authorize it.
More information about the ogsa-authz-wg
mailing list