More than 3 weeks have gone by now without any reactions to Von's reply: I suggest to update the AuthZ requirements document with the additional bullet item as suggested by Von below and then move it on to editor for publication. /Olle On Dec 21, 2005, at 23:10, Von Welch wrote:
[]Should the user authenticate to the Authorization service before submitting "AUTHORIZATION DECISION REQUEST" to the authorization service or should the authentication be a part of the request. We dont want someone requesting on others behalf. I guess this is related to the push mode.
I agree that authorization services should have some notion of policy in regards to whom can request policy decisions. How about added a new bullet to this section (section 5):
* Access Control to Authorization Decisions: For reasons of security and privacy, authorization services should be capable of enforcing access control on who can request authorization decisions. In the simplest incarnation, authorization services should be configurable so that they only answer queries from a set of trusted target resources. More complex implementations could allow for finer-grained policy based on the initiator and request. Some implementations may even want to require proof of that an initiator requested an action in order to authorize it.