[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AC Scenarios - PULL model

To: Steve Hanna <steve.hanna@xxxxxxx>
Subject: Re: AC Scenarios - PULL model
From: Polar Humenn <polar@xxxxxxxxxx>
Date: Thu, 9 Nov 2000 11:06:59 -0500 (EST)
Cc: Anders Rundgren <anders.rundgren@xxxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: <>

On Thu, 9 Nov 2000, Steve Hanna wrote:

> Polar Humenn wrote:
> > In the CORBA Security Case, an object reference is configured with a
> > specification of where and how the client is supposed to find the
> > authorization information (which can be an X.509 AC, or one of these XML
> > thinggys) the object will understand. It is an authorization token layer
> > acquisition service, which we call ATLAS. It is up to the client to
> > contact that service and acquire the AC's (or whatever) based on its
> > authentication to the ATLAS. Then the client can push the ACs to the
> > object during a CORBA request.
> 
> OK. So it's a push model. How does the client authenticate to the
> object?

Well, it "can" be a push model. Nothing can stop it from being a pull
model, of course. :)

The client may authenticate using SSL or SECIOP-GSS-Kerberos, or any
SECIOP protocol that uses GSS-API based mechanisms. SECIOP is a messaging
protocol for CORBA to transport GSS tokens.

My point was, that in CORBA Security, every object states where and how (A
CORBA service, or otherwise) the client is to the get ACs in its object
reference. That's how we gain interoperability in the general case.

> > In the pull scenario, you don't really need AC's at all. All you need is a
> > answer from a trusted somebody about the subject. It could be your
> > babysitter has a kerberos connection to your mother, who said you can play
> > outside. (no AC signature verification needed). I.e. your mother doesn't
> > have to sign a note, she can just tell the babysitter when asked.
> 
> Agreed. You don't have to use ACs in the pull scenario. But that's what
> we're discussing here.

True. I just wanted to state that there is no *requirement* for ACs in a
pull model, although you can certainly use them, verify them, etc.

Cheers,
-Polar

-------------------------------------------------------------------
Polar Humenn                  Adiron, LLC
mailto:polar@adiron.com       2-212 CST      
Phone: 315-443-3171           Syracuse, NY 13244-4100
Fax:   315-443-4745           http://www.adiron.com

References:
- Re: AC Scenarios - PULL model
  - From: Steve Hanna

Prev by Date: Re: AC Scenarios - PULL model
Next by Date: Re: AC Scenarios - PULL model
Previous by thread: Re: AC Scenarios - PULL model
Next by thread: AC Scenarios - PUSH model
Index(es):
- Date
- Thread