[OGSA-AUTHZ] Comments on ogsi authz requirement document
Von Welch
vwelch at ncsa.uiuc.edu
Sat Jan 14 20:39:49 CST 2006
I've made the changed and uploaded the new document (-03) to
gridforge (both under the workgroup page and the editor's tracker).
Von
On Jan 13, 2006, at 1:42 PM, Olle Mulmo wrote:
>
> More than 3 weeks have gone by now without any reactions to Von's
> reply: I suggest to update the AuthZ requirements document with the
> additional bullet item as suggested by Von below and then move it
> on to editor for publication.
>
> /Olle
>
> On Dec 21, 2005, at 23:10, Von Welch wrote:
>
>>>
>>> []Should the user authenticate to the Authorization service
>>> before submitting
>>> "AUTHORIZATION DECISION REQUEST" to the authorization service or
>>> should the authentication be a part of the request. We dont want
>>> someone requesting
>>> on others behalf. I guess this is related to the push mode.
>>
>> I agree that authorization services should have some notion of
>> policy in regards to whom can request policy decisions. How about
>> added a new bullet to this section (section 5):
>>
>> * Access Control to Authorization Decisions: For reasons of
>> security and privacy, authorization services should be capable of
>> enforcing access control on who can request authorization
>> decisions. In the simplest incarnation, authorization services
>> should be configurable so that they only answer queries from a set
>> of trusted target resources. More complex implementations could
>> allow for finer-grained policy based on the initiator and request.
>> Some implementations may even want to require proof of that an
>> initiator requested an action in order to authorize it.
>
More information about the ogsa-authz-wg
mailing list