OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

 

> 
> -----Original Message-----
> From: Chiusano Joseph [mailto:chiusano_joseph@bah.com] 
> Sent: Wednesday, May 07, 2003 10:31 AM
> To: Cavnar-Johnson, John
> Cc: xml-dev@lists.xml.org
> 
> Thanks John. I am actually very familiar with the WS-Trust 
> specification [1] (only mentioning my article so you can 
> understand my background).
> WS-Trust involves parties exchanging security credentials 
> that are based on existing mechanisms (X.509 cert, SAML 
> assertion, Kerberos ticket, XrML license, etc.). All of these 
> mechanisms are based on "single-component" claims - that is, 
> a single user, a single resource, etc. The concepts I am 
> presenting are based on "multiple-component"
> claims - that is, involving a user *and* a resource (such as 
> a Web service), or even more finely grained such as a user 
> and a resource and an Operation (in WSDL sense) on that resource.

I guess I don't understand your scenario.  According to the WS-Trust spec,
"a web service can require that an incoming message prove a set of claims."
These claims are not limited merely to identity, but can include the user's
principal (or security context).  I thought that clearly encompassed your
scenario (i.e. you can require me to prove my identity and that I have
successfully executed a particular operation on a resource.  What is
different in your scenario from what the WS-Trust spec calls "brokered
trust"?




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS