Mike I can put a different slant on this, which is, the strength of authentication (and other factors such as location, time of day etc.) should be a component of authorisation decision making. For example, I logged in at an Internet cafe at midnight using un/pw and I want to delete an employee from the employee database. Access denied. I logged in using my PKI certificate and smart card from a computer in the administration department at 10am and I want to delete an employee from the employee database. Access granted. So it is not too unreasonable to include the name of the CA in the authorisation decision making, once we accept that they are trusted to different levels. This is not too difficult to enforce with a general purpose authorisation PDP (in fact we are currently working on a project with Uni of Manchester to implement strength of authentication in authorisation decision making) regards David Mike Helm wrote:
Frank Siebenlist writes:
Are you suggesting that we should keep the CA always with the DN for all the authorization decisions? (Essentially pushing the policy enforcement of name+CA to the authorization stage and throwing-in the towel as far as the pkix/x509 global-naming dream is concerned...)
Yes. To all.
As DC mentioned there is available to us a global naming strategy. It is not perfect and it has some side effects, but it can at least reduce some of the human confusion.
However, you still have to include the issuer in any decision, because you have to have some assurance that the binding was legitimate. We don't yet (won't ever?) have an a priori way of knowing that.
If not, or maybe not, or sometimes not, should we move to a model where the CAs remain in the authorization picture and asserted names should always be considered in the context of the issuer?
I think this is the safer of the 2 choices you offered.
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************