[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Blended Authentication (AKA "Granular Access Control")
If I may ask, without I hope sounding too petulant: What does this cartelization (with a rigidity of rules, permissions, and hopelessly intertwined processes that even most colluders-in-restraint-of-trade would be loath to subject themselves to) have to do with distributed computing, web services, or loosely-coupled processes harnessed in cooperation to implement custom workflows? AFAIK we were not at work here on the bureaucratic blueprint for policies and procedures of interdepartmental cooperation in, say, the US federal government--or at least I didn't think that was what the operating standards of an open worldwide internetwork were supposed to resemble. In fact, I thought the point was that the epochal influence would go in the other direction: the success of lightweight, autonomous processes exploited for unanticipated functionality precisely because they were openly available should persuade the ossified hierarchs that adopting the new model was their only alternative to extinction. Specific to this thread's questions of authentication: in a world of 'web services' (as opposed to top-down system-wide delegation of function) 'need to know' is a specious concern because the processing which produces data of a particular form is divorced from (and likely knows nothing of) downstream processes which make various uses of that data. Even when handling the 'same' data at various stages of what might appear to a particular observer as a pipeline, processes are separated from both the previous and the subsequent forms of that data and therefore from the particular semantics which might attach to that data in the execution of prior and of subsequent processes. IMHO this is as close as we will ever come to the separation of data from process--and it achieves that goal sufficiently to force us to reconsider what we mean by authentication and what it is precisely that we are trying to secure. The sort of authentication which Messrs. Chiusano and Cavnar-Johnson are discussing is predicated on the semantics of given data being a) inherently deserving of protection or securing from untrusted eyes and b) remaining substantially identical as the data is passed from process to process or user to user. I argue that as the (most important, by far) consequence of a 'web services' design, both of these assumptions are demonstrably false. The concerns on which they are pontificating are therefore from a different realm than web services. Unfortunately if such concerns are seriously discussed as material to the implementation of web services there is the very real possibility that we may find ourselves thereby designing systems which, because of this crucial distinction, are not web services but which will be constrained to the sclerotic (and dare I say paranoid?) notions of security and authentication which this thread of discussion thus far evidences. Respectfully, Walter Perry Chiusano Joseph wrote: > The latter. Your approach makes total sense to me - I just needed to stretch my > thinking on this topic a bit further with respect to the capabilities of > WS-Trust and the policy-related GXA specifications (you have helped me do that). > > So it sounds like the requirements in the original scenario can be satisfied by > WS-Trust and these policy-related GXA specifications, along with mechanisms such > as X.509 certs, SAML, Kerberos tickets, etc.
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|