On Fri, Mar 12, 2004 at 06:14:41AM -0800, Hallam-Baker, Phillip wrote:
You cited secondary and marketting litterature. I wrote the
SAML spec.
Oh, come on Phil, that's ridiculous. Everything not meeting your
taste is "secondary", buth the SAML is the holy bible and the
encyclopaedia galactia. As if the security community was just
waiting for SAML to redefine their terms.
We defined the following
"We"? Who? Anyone authorized to arbitrarily define terms in
a way that all other definitions become wrong at once?
Authentication - The PROCESS of determining that "alice" is
Alice
- The decision arrived at by an authentication
process
Authorization Decision
- A statement by the controller of a resource
granting access to Alice
Authorization Policy
- A statement of the criteria used to make
an Authorization Decision.
This is not convincing. An "authorization policy" is a special
kind of policy, this doesn't mean that every policy needs to be
an authorization policy.
A firefighter's truck is also a car, which doesn't imply that
it necessarily take firefighters sitting in to make a car a car.
If your definition was applicable for policies in common, you
could never have a policy without authorization.
I am talking about the policy of the receiving MTA, the configuration
on which the decision to accept or not a message is based. That's an
Anti Spam Policy, not an Authorization Policy.
You might continue to call the decisions whom to authorize an
Authorization Policy, but that's confusing and useless. Because it's
outside the scope to tell domain owner's whom to authorize. That's
their private business.
A credential is a piece of data used to authenticate an individual.
usually it is the part carried by the user though rather than the
part used for verification.
E.g. A digital certificate, a password, a biometric profile.
So this is definitely not what we are storing in DNS.
The TCP sequence number is the credential here.
There is some precedent for calling the information in the DNS
a credential, but there is none for calling it an authorization.
Why should we call it credential, if it isn't involved in
authentication?
The owner of the resource here is the receiver of the message,
it is the receipt of email service that is being controlled.
No. Definitely not. That's nonsense. The resource is the e-mail
address to be used as a sender address.
And even if it were to be called a resource, I as the owner of my
receiving MTA will not accept that anyone else is giving me a
policy that I would have to enforce. If I receive a message from
sales(_at_)somedomain(_dot_)com , then it is definitely not somedomain.com's
owner's decision what my own MTA is receiving or not. Your view
doesn't make sense.
It is up to somedomain.com's owner to decide who is authorized to
use @somedomain.com in the sender address.
It is my own decision and my policy and nobody else's policy whether
my MTA is accepting unauthorized messages or not.
My MTA under my control will enforce my policy only and nothing else.
I guess everyone else will agree with that.
This is consistent with my definition, but not with yours.
regards
Hadmut