[cap-talk] Architectural Choices for Security: terminology
Karp, Alan H
alan.karp at hp.com
Fri Nov 16 20:43:15 EST 2007
Jed wrote:
>
> On 11/16/2007 3:21 PM, Karp, Alan H wrote:
> > ...while we've shown
> > that SAML certificates can be used to combine designation with
> > authorization, they can also be used as authorizations
> distinct from the
> > designation.
>
> To what end? I.e. what value is there in separating authorizations
> from designations?
>
There is none, but sometimes you're dealing with an application that you
can't change. If that application takes a string argument to specify a
filename, you can't just substitute a SAML certificate. You have no
choice but to separate them. In that case, the string is the
designation and the SAML authorization certificate is passed elsewhere
in the SOAP message. Although that split introduces some problems, it's
still better than relying on authentication.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list