[ogsa-wg] [OGSA-AUTHZ] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call
Tom Scavo
trscavo at gmail.com
Tue Jun 26 12:37:40 CDT 2007
Hi David,
I'll try to avoid diving into the details too soon. :-) Some general
comments below.
Tom
On 6/26/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> Tom Scavo wrote:
>
> > I recently learned about a project in EU that is binding XACML to
> > X.509, so perhaps we need a more general X.509 Binding for XML with
> > separate profiles for SAML, XACML, and so forth.
>
> Do you have the name of this project? Its not EGEE is it?
http://www.rrzn.uni-hannover.de/ubp.html
> > Once we have a standard X.509 Binding,
>
> and the purpose of this would be to remove the use of SSL/TLS?? and to
> bind at the application layer rather than the transport layer?
A SAML-laden certificate can be used for TLS client authentication or
message-level security (via WSS X.509 Token Profile).
> we can profile attribute-based
> > authz using both pushed and pulled SAML assertions. We've implemented
> > a prototype along these lines and numerous issues have come up, which
> > need vetting and further discussion.
>
> When you say SAML assertions, this is too generic, since there are three
> types of assertions. Which ones do you mean?
There are an infinite number of assertions. I think you're referring
to SAML statements. The current prototype transmits
AuthenticationStatement and AttributeStatement. The plan is to
combine the functionality of CAS and GridShib, at which time all three
statement types come into play.
Not sure why you're so concerned about statement types. An X.509
Binding for SAML Assertions does care much about the payload. (First
we have to specify *how* to bind, then we can talk about *what* :)
Tom
More information about the ogsa-wg
mailing list