[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Dec 11 10:44:06 CST 2007
Hi Chad
concerning passing attribute assertions between entities
Chad La Joie wrote:
>
> For those that aren't subscribed to one of the many lists on which this
> issue has been brought up, let me outline the basics. These assertions
> carry potentially sensitive information about a user.
correct, so in this case they should be encrypted for the SP which is
the ultimate destination of the assertion.
Most attribute
> authorities contain the ability to control the release of this
> information on a per-party basis (i.e. A can see/request the sensitive
> information but B may not). A service which passed the information it
> received onto another service circumvents the attribute authority and
> its policies.
This is not always so. For example, B may request the attribute
assertion from the AA in order to forward it to A (the SP). In this case
the AA will return the assertion to B, encrypted for A to read. B is
given the assertion to pass onto A, but B cannot read it, so there is
no circumvention of the AA's policy in this case.
regards
David
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list