xml-dev - Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")

Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")

[ Lists Home | Date Index | Thread Index ]

To: "Cavnar-Johnson John" <JCavnar-Johnson@sark.com>
Subject: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
From: "Chiusano Joseph" <chiusano_joseph@bah.com>
Date: Thu, 08 May 2003 08:59:57 -0400
Cc: xml-dev@lists.xml.org
Organization: BAH
References: <200305081253.h48CrV0l008449@extser-1.bah.com>

The latter. Your approach makes total sense to me - I just needed to
stretch my thinking on this topic a bit further with respect to the
capabilities of WS-Trust and the policy-related GXA specifications (you
have helped me do that). 

So it sounds like the requirements in the original scenario can be
satisfied by WS-Trust and these policy-related GXA specifications, along
with mechanisms such as X.509 certs, SAML, Kerberos tickets, etc.

Thanks for your insight.

Joe Chiusano
Booz | Allen | Hamilton

"Cavnar-Johnson, John" wrote:
> 
> 
> 
> >
> > -----Original Message-----
> > From: Chiusano Joseph [mailto:chiusano_joseph@bah.com]
> > Sent: Wednesday, May 07, 2003 2:52 PM
> > To: Cavnar-Johnson, John
> > Cc: xml-dev@lists.xml.org
> >
> > <Quote1>
> > According to the WS-Trust spec, "a web service can require
> > that an incoming message prove a set of claims." These claims
> > are not limited merely to identity, but can include the
> > user's principal (or security
> > context)
> > </Quote1>
> >
> > Can you take this one step further and explain how this would
> > apply to the presented scenario? In other words, how would
> > the identity of SYSTEM A be brought into the picture
> > (allowing SYSTEM A to really be considered a "user")? And how
> > does it relate to the possibility of more granular security
> > at (for example) the WSDL Operation level?
> >
> 
> Do you want SYSTEM A to authenticate the user, or do you want the request to
> actually come from SYSTEM A? If the former, then this is exactly the
> brokered trust scenario.  If the latter, then you add a requirement to your
> policy that states the request must include a certificate from SYSTEM A as
> well as credentials for the user.
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>

begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@bah.com
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard

Follow-Ups:
- Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
  - From: "W. E. Perry" <wperry@fiduciary.com>

Prev by Date: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Next by Date: Re: [xml-dev] xml:namespace
Previous by thread: RE: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Next by thread: Re: [xml-dev] Blended Authentication (AKA "Granular Access Control")
Index(es):
- Date
- Thread