[This reply is several days old due to having bounced back by an addressing
error. I know more discussion has gone on but keeping in mind the fact that
it was created several days ago in response to what I saw in the message
stream then I believe it is still pertinent.]
from Charles Watt:
One reason that I like the suggestion above for an application specific
authorization service is that it allows each organization to explicitly
state the level of liability that they are willing to assume for each
use of a signature. In the example, a signed list of authorized DNs and
limitations is a statement that an organization will honor all EDI
contracts
that meet the specified signature requirements. If the organization
posting
such a statement chooses not to provide adequate security for its internal
EDI subsystem, then it, and it alone is liable for the consequences.
THE FOLLOWING IS NOT MEANT TO BE A FLAME. PLEASE DON'T INTERPRET IT AS AN
ATTACK ON CHARLES, PEM OR ANYONE.
The above is untenable for large organization. All authorizations must be
part on ONE logical coherent whole. Authorization though should be clearly
separated from authentication. Mixing them thru the DN doesn't seem to be
the proper way to go at all. Separable information on Roles should exist in
a form easily linked to the authenticated identity achieved thru the PEM
authentication services.
Authorizations can not be done on an application by application basis.
Applications like PEM and applications built on pem must be able to use
common authorization services sharing common authorization data. This must
be sharable with all of the rest of the general and specific applications
that will exist. The scope and scale of this must work for 100,000+ people
in an organization like Boeing. How it can easily extend to coordinated use
with Boeing's customers, suppliers, partners, & authorities (ie governments)
and others [500,000+?] must be planned in. Mid term need for us is to be
able to extend the information to have general meaning and use across the
aeronautical community [ie 2,000,000 - 10,000,000 people] is a requirement.
Remember too that these numbers are JUST the people and don't include
devices and autonomous applications and etc..
The total number of different applications in large companies and industries
have the same type of scaling and scope problems as for number of people.
Why do I bother the pem list with this stuff? No, this isn't technical
'stuff' per se. I normally just watch pem. I do do security work at the
requirements, concepts and architectures levels including participation in
some standards arenas. I also do evaluation of security technologies and
their futures for Boeing Computer Services, other parts of Boeing, and for
sharing thru the Aeronautical Industries Association for purposes of
planning how we want to secure our future automation industry wide.
One basic coming out of the recent X/Open Security Requirements work, the
Posix .6 & .22 security and distributed security functionality work plans,
and our own architectures and plans is for separate security
functionalities, that work well together, as a whole, on common information,
in whatever application requires the service. It must be easily manageable
and implementable and apply at least enterprise wide. So:
. Make sure the authorization information and functionalities are separate
but easily usable with pem.
[Don't embed it in an individuals DN!]
. Provide for use of generic authorization services and information.
.Create or choose a default authorization scheme and information definition
for PEM now. Make sure it can be replaced without effecting the rest of
pem.
I would like to be able to plan for pem use as part of future secure
computing, communications and automation. Don't implement it so it will be
a short term solution that will be extremely hard and expensive to grow past
or back out of.
The above comments and opinions when given to an IETF group are of course
mine and not Boeing's. You may presume that they will gladly disavow any
knowledge of my actions and opinions and maybe even feel like shooting me if
this were ever brought forcefully to their attention.
Thank you for your time and attention.
Rich Harris rharris(_at_)atc(_dot_)boeing(_dot_)com
Boeing Computer Services/ Computing Security Technology
PO Box 24346, M/S 7L-15 / Seattle WA 98124
phone 206-865-4922 fax 206-865-6903