[cap-talk] Architectural Choices for Security: terminology
Karp, Alan H
alan.karp at hp.com
Fri Nov 16 20:43:15 EST 2007
> On 11/16/2007 3:21 PM, Karp, Alan H wrote:
> > ...while we've shown
> > that SAML certificates can be used to combine designation with
> > authorization, they can also be used as authorizations
> distinct from the
> > designation.
> To what end? I.e. what value is there in separating authorizations
> from designations?
There is none, but sometimes you're dealing with an application that you
can't change. If that application takes a string argument to specify a
filename, you can't just substitute a SAML certificate. You have no
choice but to separate them. In that case, the string is the
designation and the SAML authorization certificate is passed elsewhere
in the SOAP message. Although that split introduces some problems, it's
still better than relying on authentication.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk