On Nov 28, 2007 1:38 PM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
i) why did you delete Identity Provider from being synonymous with Attribute Authority? If you think they are not technically equivalent can you say why.
An identity provider manages identity information for principals (users). An attribute authority asserts attributes about a subject. The latter is what you want, I think. In any event, the term "identity provider" is not used in this document, so it need not be defined.
ii) I suggest changing Credential to Authorisation Credential, because as you point out, Credentials are a superset of signed attribute assertions.
A credential is information that is transferred from one entity to another entity to establish a claimed identity. See: http://www.itu.int/rec/T-REC-X.800-199103-I/en So when I think of "credential," I think of authentication. Rather than overload the word "credential," I believe it's better to use the term "signed attribute assertion," but it's your call.
iv) you ask how the CIS is different from an AA. They are clearly related. An AA is the authority behind the attribute assertions that are released, and it does not have to sign the attribute assertions that are issued. A CIS is a service of an AA, and it does have to sign the assertions.
That's not enough distinction to warrant a new term, I believe.
In the grid we are only interested with digitally signed tokens (not symmetrically encrypted ones, MACed ones, or unsigned ones).
I disagree. Our implementation, for example, does not require signed assertions. It requires mutual authentication, yes, but message-level security is but one way to achieve that.
So we introduce the CIS to show that it is signed attribute assertions that we are concerned with, and the CIS is the service of the AA that does this. We also need to have the converse validation service to the issuing service, hence the CVS. If we replace CIS by AA, then we should also replace CVS, perhaps by AVS.
I'm afraid I don't understand your point. In any event, the use of the word "credential" is misleading, I think. On the other hand, the word "attribute" is well understood, so why not use that?
v) I think its useful to keep the MS STS terminology in the document since some readers may already be familiar with this concept, and it gives them a handle on our terminology. Its also good to relate different terms together when they are talking about the same conceptual entities. This helps people figure out how all these disparate terms fit together. (which is related to point i) above)
There already is a section on WS-Trust and the STS, which is fine. I don't think you need to add confusing parenthetical remarks in the definitions, however. Indeed, the phrase "synonymous with the validation service of Microsoft's Security Token Service" is false, since a CVS/CIS is not an STS. Tom