[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Blended Authentication (AKA "Granular Access Control")

• To: Rich Salz <rsalz@d...>
• Subject: Re: Blended Authentication (AKA "Granular Access Control")
• From: "Chiusano Joseph" <chiusano_joseph@b...>
• Date: Wed, 07 May 2003 11:05:48 -0400
• Cc: xml-dev@l...
• Organization: BAH
• References: <3EB9048B.87D3964E@b...> <3EB910ED.7010103@d...>

<Quote>
User1 authenticates to A and "delegates" its rights so that A can
present its rights, and the delegated User1 rights to B. 
</Quote>

That works well from the perspective of A (the sender side) because it
asserts that A has the proper claims to access B (this appears to me to
be more of a "push" method). But what if B does not consider A to be a
valid user? How can B enforce this?

Also, what about a more granular level, such as at a WSDL Operation or
Message level?

Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton

Rich Salz wrote:
> 
> >
> >
> >The concept is this: authentication of not only a user for access
> >control to a resource, but a combination of the user *and* a resource -
> >
> 
> This is called delegation. System A is an active participant -- it is a
> security entity of its own.  User1 authenticates to A and "delegates"
> its rights so that A can present its rights, and the delegated User1
> rights to B. OSF DCE has rich delegation; COM has limited (IIRC just the
> limited case of full delegation, which is really impersonation); Corba,
> based on the DCE Security model, is closer to DCE's capabilities.  XACML
> and SAML have many OSF DCE alumni on them, so those standards should
> have enough hooks to support delegation, even if it wasn't explicitly
> part of their baseline specs.
> 
> (I just updated Mozilla; apologies if this comes out at HTML)
>     /r$

begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@b...
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard

• Follow-Ups:
  • Re: Blended Authentication (AKA "Granular Access Control")
    • From: Rich Salz <rsalz@d...>
  • RE: Blended Authentication (AKA "Granular Access Control")
    • From: "Cavnar-Johnson, John" <JCavnar-Johnson@s...>

• References:
  • Blended Authentication (AKA "Granular Access Control")
    • From: "Chiusano Joseph" <chiusano_joseph@b...>
  • Re: Blended Authentication (AKA "Granular Access Control")
    • From: Rich Salz <rsalz@d...>

• Prev by Date: Re: Blended Authentication (AKA "Granular Access Control")
• Next by Date: RE: Blended Authentication (AKA "Granular Access Control")
• Previous by thread: Re: Blended Authentication (AKA "Granular Access Control")
• Next by thread: RE: Blended Authentication (AKA "Granular Access Control")
• Index(es):
  • Date
  • Thread