[OGSA-AUTHZ] Comments on ogsi authz requirement document

[Olle Mulmo]

More than 3 weeks have gone by now without any reactions to Von's  
reply: I suggest to update the AuthZ requirements document with the  
additional bullet item as suggested by Von below and then move it on  
to editor for publication.

/Olle

On Dec 21, 2005, at 23:10, Von Welch wrote:

>>
>> []Should the user authenticate to the Authorization service before  
>> submitting
>>  "AUTHORIZATION DECISION REQUEST" to the authorization service or
>>  should the authentication be a part of the request. We dont want  
>> someone requesting
>>  on others behalf. I guess this is related to the push mode.
>
> I agree that authorization services should have some notion of  
> policy in regards to whom can request policy decisions. How about  
> added a new bullet to this section (section 5):
>
>  * Access Control to Authorization Decisions: For reasons of  
> security and privacy, authorization services should be capable of  
> enforcing access control on who can request authorization  
> decisions. In the simplest incarnation, authorization services  
> should be configurable so that they only answer queries from a set  
> of trusted target resources. More complex implementations could  
> allow for finer-grained policy based on the initiator and request.  
> Some implementations may even want to require proof of that an  
> initiator requested an action in order to authorize it.