xml-dev - Blended Authentication (AKA "Granular Access Control")

Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Blended Authentication (AKA "Granular Access Control")
From: "Chiusano Joseph" <chiusano_joseph@bah.com>
Date: Wed, 07 May 2003 09:05:15 -0400
Organization: BAH

I have a question regarding security, particularly authentication and
access control. My objective is to present a concept, and find out if
this concept is currently being implemented in any XML-based open
standards. The standards that I am familiar with (without listing them)
do not, according to my understanding, take into account this concept.

The concept is this: authentication of not only a user for access
control to a resource, but a combination of the user *and* a resource -
i.e. "blended authentication". For example, suppose that we have the
following very simple scenario of 2 users (USER1 and USER2) accessing a
system (SYSTEM A) that further accesses another system (SYSTEM B). It is
assumed that all access would be through Web services:

	    -----------		  -----------
           |           |         |           |
 USER1---->|	       |-------->|           |
	   |  SYSTEM   |         |  SYSTEM   |	
	   |     A     |         |     B     |
 USER2---->|	       |         |           |
 	   |	       |         |           |
  	    -----------           -----------

The above scenario indicates that both USER1 and USER2 are successfully
authenticated by SYSTEM A. However, when it is required that SYSTEM A
accesses SYSTEM B (perhaps for a database lookup), only USER1 is
authenticated to SYSTEM B. This is because the authentication by SYSTEM
B took into account not only USER1's credentials (X.509 cert, Kerberos
ticket, SAML assertion, etc.), but the fact that USER1 was accessing
SYSTEM B from SYSTEM A. So, USER2 may very well be authenticated to
access SYSTEM B from some other system - just not from SYSTEM A.

[Getting into implementation for a second] It appears that this type of
authentication could be enforced through some sort of security-related
extensions to WSDL, so that it can be controlled at a Service level.

Taking that one step further, such authentication could even be enforced
at the Operation level, Message level, etc.

Any thoughts/comments on this would be greatly welcome and appreciated.

Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton

begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@bah.com
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard

Follow-Ups:
- Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
  - From: Rich Salz <rsalz@datapower.com>
- Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
  - From: "W. E. Perry" <wperry@fiduciary.com>
- RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")
  - From: "Cavnar-Johnson, John" <JCavnar-Johnson@sark.com>

Prev by Date: Re: [xml-dev] Some random noise on rational type systems for XML
Next by Date: Re: [xml-dev] IEEE Computer: "XML Raises Concerns" (Was Re: [xml-dev] XML Sucks)
Previous by thread: RE: [xml-dev] IEEE Computer: "XML Raises Concerns" (Was Re: [xml-dev] XML Sucks)
Next by thread: RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Index(es):
- Date
- Thread