[OGSA-AUTHZ] Latest profile specs
Tom Scavo
trscavo at gmail.com
Sun Dec 2 12:23:44 CST 2007
On Nov 28, 2007 1:38 PM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> i) why did you delete Identity Provider from being synonymous with
> Attribute Authority? If you think they are not technically equivalent
> can you say why.
An identity provider manages identity information for principals
(users). An attribute authority asserts attributes about a subject.
The latter is what you want, I think. In any event, the term
"identity provider" is not used in this document, so it need not be
defined.
> ii) I suggest changing Credential to Authorisation Credential, because
> as you point out, Credentials are a superset of signed attribute assertions.
A credential is information that is transferred from one entity to
another entity to establish a claimed identity. See:
http://www.itu.int/rec/T-REC-X.800-199103-I/en
So when I think of "credential," I think of authentication. Rather
than overload the word "credential," I believe it's better to use the
term "signed attribute assertion," but it's your call.
> iv) you ask how the CIS is different from an AA. They are clearly
> related. An AA is the authority behind the attribute assertions that are
> released, and it does not have to sign the attribute assertions that are
> issued. A CIS is a service of an AA, and it does have to sign the
> assertions.
That's not enough distinction to warrant a new term, I believe.
> In the grid we are only interested with digitally signed
> tokens (not symmetrically encrypted ones, MACed ones, or unsigned ones).
I disagree. Our implementation, for example, does not require signed
assertions. It requires mutual authentication, yes, but message-level
security is but one way to achieve that.
> So we introduce the CIS to show that it is signed attribute assertions
> that we are concerned with, and the CIS is the service of the AA that
> does this. We also need to have the converse validation service to the
> issuing service, hence the CVS. If we replace CIS by AA, then we should
> also replace CVS, perhaps by AVS.
I'm afraid I don't understand your point. In any event, the use of
the word "credential" is misleading, I think. On the other hand, the
word "attribute" is well understood, so why not use that?
> v) I think its useful to keep the MS STS terminology in the document
> since some readers may already be familiar with this concept, and it
> gives them a handle on our terminology. Its also good to relate
> different terms together when they are talking about the same conceptual
> entities. This helps people figure out how all these disparate terms fit
> together. (which is related to point i) above)
There already is a section on WS-Trust and the STS, which is fine. I
don't think you need to add confusing parenthetical remarks in the
definitions, however. Indeed, the phrase "synonymous with the
validation service of Microsoft's Security Token Service" is false,
since a CVS/CIS is not an STS.
Tom
More information about the ogsa-authz-wg
mailing list