[OGSA-AUTHZ] Latest profile specs

Tom Scavo trscavo at gmail.com
Sun Dec 2 12:23:44 CST 2007 

On Nov 28, 2007 1:38 PM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> i) why did you delete Identity Provider from being synonymous with
> Attribute Authority? If you think they are not technically equivalent
> can you say why.

An identity provider manages identity information for principals
(users).  An attribute authority asserts attributes about a subject.
The latter is what you want, I think.  In any event, the term
"identity provider" is not used in this document, so it need not be
defined.

> ii) I suggest changing Credential to Authorisation Credential, because
> as you point out, Credentials are a superset of signed attribute assertions.

A credential is information that is transferred from one entity to
another entity to establish a claimed identity.  See:

http://www.itu.int/rec/T-REC-X.800-199103-I/en

So when I think of "credential," I think of authentication.  Rather
than overload the word "credential," I believe it's better to use the
term "signed attribute assertion," but it's your call.

> iv) you ask how the CIS is different from an AA. They are clearly
> related. An AA is the authority behind the attribute assertions that are
> released, and it does not have to sign the attribute assertions that are
> issued. A CIS is a service of an AA, and it does have to sign the
> assertions.

That's not enough distinction to warrant a new term, I believe.

> In the grid we are only interested with digitally signed
> tokens (not symmetrically encrypted ones, MACed ones, or unsigned ones).

I disagree.  Our implementation, for example, does not require signed
assertions.  It requires mutual authentication, yes, but message-level
security is but one way to achieve that.

> So we introduce the CIS to show that it is signed attribute assertions
> that we are concerned with, and the CIS is the service of the AA that
> does this. We also need to have the converse validation service to the
> issuing service, hence the CVS. If we replace CIS by AA, then we should
> also replace CVS, perhaps by AVS.

I'm afraid I don't understand your point.  In any event, the use of
the word "credential" is misleading, I think.  On the other hand, the
word "attribute" is well understood, so why not use that?

> v) I think its useful to keep the MS STS terminology in the document
> since some readers may already be familiar with this concept, and it
> gives them a handle on our terminology. Its also good to relate
> different terms together when they are talking about the same conceptual
> entities. This helps people figure out how all these disparate terms fit
> together. (which is related to point i) above)

There already is a section on WS-Trust and the STS, which is fine.  I
don't think you need to add confusing parenthetical remarks in the
definitions, however.  Indeed, the phrase "synonymous with the
validation service of Microsoft's Security Token Service" is false,
since a CVS/CIS is not an STS.

Tom

More information about the ogsa-authz-wg mailing list