[cap-talk] SAML assertions as capabilities vs. ocaps

Jed Donnelley jed at nersc.gov
Thu Apr 24 16:37:24 CDT 2008 

On 4/23/2008 5:26 PM, Karp, Alan H wrote:
> The Navy folks I'm working with frequently come
> back to some features of SAML authorizations that
> they like, particularly having the full delegation
> chain in the certificate and the fact that an attenuating
> delegation doesn't needing prior planning.  Both of these
> features are implementable with ocaps, but perhaps not as
> conveniently.
> 
> That leads me to make a challenge.  Find the best way to
> implement these features purely with ocaps.  I'll accept an
> intravat solution as long as the intervat version is reasonable.
> For example, a forwarder can be used to attentuate an ocap, but
> some extra communication is involved.  Is there an intervat
> solution that doesn't require extra intervat messages?
> Minimizing messages is of particular interest to the Navy.

Hmmm.  I'm a bit lost.  From my perspective Horton
does both - full delegation chain in the capability
and can attenuate delegation without prior planning.
Those (along with audit/logging) were the primary
motivations for Horton - which was implemented on
ocaps.

In terms of "best" ('find the best way...'), while
I can't claim that the Horton reference implementations
are "best" in any sense, I do believe that any
ocap mechanism that provides these facilities will
have to be in some ways "isomorphic" to Horton.
That is, delegations will have to go "through"
something like the Horton tunnel so that the delegation
path can be tracked, and some "central" entity will
have to have hooks into the capabilities to be able
to do the attenuation without prior planning.

However such facilities come out in a detailed
implementation, it seems to me that it must look/work
much like Horton.  I'll be interested to hear about
alternatives that look substantively different.

The notion of "arbitrary" attenuation (as MarkM mentioned)
it seems to me comes down to essentially Horton policies.

Does your challenge amount to essentially trying to
make Horton more efficient (fewer messages?)?

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list