11/19/2004 4:27 PM
post4505
|
Thanks to Richard
Richard,
thanks for your comments. Unless I hear otherwise I will resolve
them as follows
>
> Some terms are not defined which, given their relevance to the area of
> security, I assume that they would/should be.
For the following three terms I came up with a possible definition
(see below) but was reluctant to put them into the document as they
are mainly about the much broader area of security than what authorization
itself covers.
>
> Accounting
- The process of retaining data about system usage, e.g., for billing purposes.
> Auditing
- Auditing of authorization information typically refers to the process of evaluating of system records to establish
what entity has made use of the system and to what extend. Auditing of an authorization system may also refer to a
review of system mechanisms and policies, e.g. to establish a level of confidence in a system.
> Authentication - (various associated terms are given authentication
- the process of establishing an entity's identity
I do not feel that we should add the following terms as they seem even more
out of the scope of an "authorizaiton glossary":
> Confidentiality
> Data integrity
> Logging
> Privacy
> ...also how about
> Obligation
I added the following obligation definition to the document:
"An (authorization) obligation is an instruction from a PDP to an entity requesting an
authorization decision. The instruction may specify an operation that
the must be performed in conjunction with the enforcement of a the
authorization decision that corresponds to the authorization request."
Plus I added references to XACML and PONDER on this topic.
> A couple of definitions I'm not sure about.
>
> "Service" - not sure I like this definition (and there is a
> problem with
> definition dependencies, "service: the component that
> mediates access to
> a 'resource'" where a 'resource' is defined as "component
> that provides
> or hosts 'services'").
I agree the service definition relies heavily on the scope
of this document i.e., service = authorization service.
I thus changed the separate service definition to refer to the
Authorizaiton Service definition in the document. We do not attempt
to define the service term in the general sense.
>
> "Trust" - why does this include taking actions? Should it not be
>
> "The willingness to accept the risk associated with assertions made by
> other parties"
This request is in line with a comment that Jim Basney made via griforge.
I accept Jim's version:
"The willingness to accept the risk associated with actions based on
assertions by other parties."
|
|
|