RE: [ggf-ogsa-sec-wg] inter-domain requirements

[Von Welch <welch@mcs.anl.gov>]

Bob,

 Please reread my note and the thread. I am talking about
*authorization assertions*, in particular those defined by SAML. Not
authorization as a general concept.

 Olle brought up an example that did not fit into a SAML authorization
assertion. My observation is that SAML authorization assertions are
meant to cover message exchanges between an authorization service and
a client requesting polcy information. They are not intended to cover
the management of policy in that authorization service, which is what
I believe Olle was getting at with his example.

 So I'm drawing a line between an administrative protocol to do policy
management and a query/response protocol to get authorization
assertions.

Von

Cowles, Robert D. writes (19:34 October 21, 2002):
 > I am so relieved!  I have been afraid that once we finished shoving all the hard problems from authentication to authorization we would be stuck with having to solve them.  Now it appears there is a new distinction between authorization and policy management ... meaning that we can take the nastiest authorization problems and declare them policy management (to be solved later). 
 > 
 > Sorry .... Von ... could you explain more about the "line" between policy management and authorization?
 > 
 > BC
 > 
 > 
 > > 
 > > 
 > > Olle,
 > > 
 > >  Thinking about the line between authorization assertions and policy
 > > management I've come to the conclusion that SAML (and other)
 > > authorization assertions are a form of policy management.
 > > 
 >