[OGSA-AUTHZ] Next Telecon
Blair Dillaway
blaird at microsoft.com
Wed Nov 1 17:26:59 CST 2006
David,
I'm not sure I fully understand this proposal, but a couple of things came to mind. Hope you find these comments useful.
> Each of these 3 interfaces could be APIs or open protocols.
I think it would be a good idea to clarify if the WG plans to produce APIs, protocols, or both. One typically doesn't find the same data encodings used in protocol wire-formats and APIs.
> 1. PEP-Context Handler. PEP→CH, the authenticated name of
> the user, the credentials of the user (optional) and the
> user’s access request.
> CH→PEP, the authorization decision.
>
> 2. Context Handler-CVS. CH→CVS, the authenticated name of the
> user, the credentials of the user (optional). CVS→CH, the
> validated attributes of the user.
>
> 3. Context Handler-PDP. CH→PDP, the authenticated name of the
> user, the validated attributes of the user and the user’s
> access request. PDP→CH, the authorization decision.
>
> If credentials can be packaged as attributes, then only two
> protocols need to be standardised, namely 1/3 and 2.
I believe you're saying you want to treat 'validated attributes' and credentials the same way for all 3 APIs/protocols? This may be all right in this context, but one should ask if this beneficial for implementors. I haven't fully thought this through, but it might increase decoding and error handling complexity.
The proposal suggests 'tunneling' of SAML credentials inside a SAML attribute. You'd need to clearly specify the processing rules. For example, if the endpoint is expecting user attributes and receive a SAML credential are they supposed to decode the credential and pull out any included attributes?
Finally, your mail seems to indicate a need to define, and get agreement on, new SAML attribute types. Adopting the WS* defined approach for security token encoding may be an easier path.
Regards,
Blair Dillaway
> -----Original Message-----
> From: ogsa-authz-wg-bounces at ogf.org
> [mailto:ogsa-authz-wg-bounces at ogf.org] On Behalf Of David Chadwick
> Sent: Tuesday, October 31, 2006 3:57 AM
> To: OGSA AUTHZ WG
> Subject: [OGSA-AUTHZ] Next Telecon
>
> Dear WG
>
> the next telecon is scheduled for Wed 8 November. I believe
> that the "Functional Components of Grid Service Provider
> Authorisation Service Middleware" document is now complete. I
> would us like to confirm that we are broadly happy with this
> model at the telecon, and then move onto the more important
> work, which is to define the protocols/profiles necessary to
> implement this model. The latest document describes three
> interfaces that are candidates for standardisation, namely:
>
> 1. one for the context handler talking to the PEP,
>
> 2. a second for the context handler talking to the CVS and
>
> 3. a third for the context handler talking to the PDP.
>
> Each of these 3 interfaces could be APIs or open protocols.
> As specified in the Functional Components document, the
> functionality required of the three interfaces is as follows:
>
> 1. PEP-Context Handler. PEP→CH, the authenticated name of
> the user, the credentials of the user (optional) and the
> user’s access request.
> CH→PEP, the authorization decision.
>
> 2. Context Handler-CVS. CH→CVS, the authenticated name of the
> user, the credentials of the user (optional). CVS→CH, the
> validated attributes of the user.
>
> 3. Context Handler-PDP. CH→PDP, the authenticated name of the
> user, the validated attributes of the user and the user’s
> access request. PDP→CH, the authorization decision.
>
> I would like to make the following proposal for discussion at
> the next telecon.
>
> If credentials can be packaged as attributes, then only two
> protocols need to be standardised, namely 1/3 and 2.
>
> This is not so radical. It is already a feature of our
> existing SAML profile, and it has been successfully
> implemented by at least 4 implementations that I know of (GT,
> Permis, Primea, OMII(UK)). So I dont see any problem in this.
>
> Here is how it works.
>
> In XACML, an attribute is currently defined as an attribute
> ID, a data type and a value. The contents of all 3 are
> transparent to the protocol and are carried as XML strings.
> So essentially they can contain anything. When we package a
> credential as an attribute, we simply define a new attribute
> ID and data type to represent the credential and the value is
> then the string encoding of the credential.
>
> So to pass the following within the same protocol as
> attributes we do the following.
>
> 1. An Attribute, e.g.
> AT ID=role DT=string AV=student, sent as usual with no
> modifications <Attribute
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
> DataType="http://www.w3.org/2001/XMLSchema#string">
> <AttributeValue>student</AttributeValue>
> </Attribute>
>
> 2. An X.509 attribute certificate credential in which AT
> ID=X.509AC DT=BER AV=<some BER>, AT is sent as <Attribute
> AttributeId="://www.ieft.org/rfc/rfc2256.txt#
> attributeCertificateAttribute"
> the value is base64 encoded into a string, and the DT is
> either string or Base64 string (if this exists)
>
> 3. A SAML Attribute Assertion credential AT ID=SAML Attribute
> Assertion DT=XML AV=<SAML AA XML>, we need to define an
> attribute ID for a SAML Attribute Assertion (unless this
> already exists), the DT is string, and then we send the value
> enclosed in speech marks " "
>
> 4. An X.509 Public Key certificate with Subject Directory
> Attributes credential. Send in the same way as an X.509 AC,
> except that ID is userCertificate.
>
> I should like the above to form a major topic for discussion
> at the telecon. If we can agree on this, it makes the
> standardisation work 30% easier!!
>
> regards
>
> David
>
>
>
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security The Computing
> Laboratory, University of Kent, Canterbury, CT2 7NF Skype
> Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk Entrust key
> validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
>
> *****************************************************************
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
More information about the ogsa-authz-wg
mailing list