[cap-talk] SAML assertions as capabilities vs. ocaps
Karp, Alan H
alan.karp at hp.com
Thu Jun 5 17:16:05 CDT 2008
David Chizmadia wrote:
>
> The samlPolicy is the tuple
> (Authority, authorizationsMap) wrapped in a
> sealed box. For the samlPolicy originating
> from the samlBox, the Authority is the samlBox.
> To allow authority attenuation, an intermediate
> holder can use the samlPolicy they received as
> the Authority to construct a new samlPolicy
> with a more restricted authorizationsMap. The
> samlBox unwinds a chain of samlPolicy tuples
> until it reaches the one it issued.
>
That's closer, but I'm not sure how it works.
How is the sealer/unsealer managed? I assume that the samlBox holds the unsealer, and the sealer is available to everyone. I think making that sealer available to everyone involves extra messages. In our SAML approach, each delegation is signed with the delegator's private signing key, which doesn't require key communication.
How does the delegatee invoke the delegated object? In our SAML example, we used the authorization assertions as the method arguments. Since the assertions are open documents, the invoked method could extract the service URL for subsequent invocation. Sealed boxes are opaque, so the delegatee can't get the object reference.
Maybe the answer is to send a list corresponding to our SOAP header as an extra argument, e.g., objRef.foo([objRef,AuthMap,seal,samlPolicy],...), where samlPolicy is seal([objRef,Authority,AuthMap]). The method would check the invocation against the policy, e.g.,
def sealer { ... }
to foo(policy, ...) // Other arguments
{
if (this == sealer.unseal(policy)[0] &&
attenuationCheck(sealer.unseal(policy)[2]) ) // Plus other checks
{
...
}
}
I'm sure Dean can do this without EQ.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list