Your comments on Func Components
Hi Richard thanks for your comments. I am making an update that takes your comments into account. i) title change accepted ii) the difference between IDP and AA is an interesting one which Tom also raised. I think we need more discussion about this in the whole group to agree upon this issue iii) I have added a definition of attribute "Attribute is a property of an entity". Nice and simple, and all encompassing :-) iv) I have clarified credential to authorisation credential. An AC and a signed SAML assertion are both authorisation credentials. v)I have removed the capabilities text. vi) deleted "mode of" vii) I have put the defn in alphabetical order viii) added "when making a decision" to clarify how unacceptable credentials are ignored. ix) users present authorisation credentials, not attributes, since the latter cannot be trusted. The CVS turns the former into the latter. x) minor editorials all accepted. thanks David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
On 11/28/07, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
iii) I have added a definition of attribute "Attribute is a property of an entity". Nice and simple, and all encompassing :-)
I think this defines what might be called "metadata." Recently, we defined "attribute" as follows: An attribute is information asserted in a secure manner by a trusted source, used for access control. I think the key is "used for access control." This is what distinguishes attributes from other kinds of data. Tom
Hi Tom I am happy to add "used for access control" in the context of our document, but not secure manner or trusted source, because this is not true in all cases. Part of our model is to make sure that we only use trusted attributes because the ones that are asserted may have been done insecurely or may not be trusted (see our other definitions). The role of the CVS in our model is to make sure that only the secure and trusted attributes are filtered out for use, whilst the others are discarded. If we define attributes as secure and trusted then there cannot be other attributes to be discarded (by definition). Then there is no point in having a CVS, its functionality is redundant. However if you are talking from an XACML perspective then your definition is OK, since by the time the attributes are received by the XACML PDP they are already secure and trusted. regards David Tom Scavo wrote:
On 11/28/07, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
iii) I have added a definition of attribute "Attribute is a property of an entity". Nice and simple, and all encompassing :-)
I think this defines what might be called "metadata." Recently, we defined "attribute" as follows:
An attribute is information asserted in a secure manner by a trusted source, used for access control.
I think the key is "used for access control." This is what distinguishes attributes from other kinds of data.
Tom
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
Hi David, I understand the distinction you're making and I agree. If you can work in the phrase "used for access control", I think that would be sufficient. Tom On Nov 29, 2007 4:50 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
Hi Tom
I am happy to add "used for access control" in the context of our document, but not secure manner or trusted source, because this is not true in all cases. Part of our model is to make sure that we only use trusted attributes because the ones that are asserted may have been done insecurely or may not be trusted (see our other definitions). The role of the CVS in our model is to make sure that only the secure and trusted attributes are filtered out for use, whilst the others are discarded. If we define attributes as secure and trusted then there cannot be other attributes to be discarded (by definition). Then there is no point in having a CVS, its functionality is redundant.
However if you are talking from an XACML perspective then your definition is OK, since by the time the attributes are received by the XACML PDP they are already secure and trusted.
regards
David
Tom Scavo wrote:
On 11/28/07, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:
iii) I have added a definition of attribute "Attribute is a property of an entity". Nice and simple, and all encompassing :-)
I think this defines what might be called "metadata." Recently, we defined "attribute" as follows:
An attribute is information asserted in a secure manner by a trusted source, used for access control.
I think the key is "used for access control." This is what distinguishes attributes from other kinds of data.
Tom
--
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
participants (2)
-
David Chadwick -
Tom Scavo