This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/go/projects.ggf-editor/discussion.info_authorization_glossary.comments_from_mailing_list at Sun, 06 Nov 2022 09:03:04 GMT SourceForge : Post

Project Home

Tracker

Documents

Tasks

Source Code

Discussions

File Releases

Wiki

Project Admin
Project: Editor     Discussion > INFO: Authorization Glossary > Comments from Mailing List > List of Posts
Forum Topic - Comments from Mailing List: (2 Items)
View:  as 
 
 
Comments from Mailing List
Here some comments made by Richard Sinnott via the AuthZ mailing list:
----------------------------------------------------

A few notes/comments on the glossary. 

Some terms are not defined which, given their relevance to the area of
security, I assume that they would/should be. 

Accounting
Auditing
Authentication - (various associated terms are given authentication
credential/token, but not the term itself)
Confidentiality
Data integrity
Logging
Privacy

...also how about 
Obligation


A couple of definitions I'm not sure about.

"Service" - not sure I like this definition (and there is a problem with
definition dependencies, "service: the component that mediates access to
a 'resource'" where a 'resource' is defined as "component that provides
or hosts 'services'").

Perhaps clarity to this can be gained by answering the question of
whether a container hosting a Grid service is a resource or a service?

"Trust" - why does this include taking actions? Should it not be

"The willingness to accept the risk associated with assertions made by
other parties"


A few minor typoes 
Page 3 section "Attribute"  - ", .e.g., " drop the "."

References 
LDAP - should be "Lightweight Directory Access Protocol"


My $0.02c.
Rich
Thanks to Richard
Richard,

thanks for your comments. Unless I hear otherwise I will resolve
them as follows

> 
> Some terms are not defined which, given their relevance to the area of
> security, I assume that they would/should be. 

For the following three terms I came up with a possible definition
(see below) but was reluctant to put them into the document as they
are mainly about the much broader area of security than what authorization
itself covers. 

> 
> Accounting

- The process of retaining data about system usage, e.g., for billing purposes.

> Auditing

- Auditing of authorization information typically refers to the process of evaluating of system records to establish 
what entity has made use of the system and to what extend. Auditing of an authorization system  may also refer to a 
review of system mechanisms and policies, e.g. to establish a level of confidence in a system.

> Authentication - (various associated terms are given authentication
   - the process of establishing an entity's identity
   

I do not feel that we should add the following terms as they seem even more 
out of the scope of an "authorizaiton glossary":
> Confidentiality
> Data integrity
> Logging
> Privacy

> ...also how about 
> Obligation

I added the following obligation definition to the document:

"An (authorization) obligation is an instruction from a PDP to an entity requesting an 
authorization decision. The instruction may specify an operation that 
the must be performed in conjunction with the enforcement of a the
authorization decision that corresponds to the authorization request."

Plus I added references to XACML and PONDER on this topic.

> A couple of definitions I'm not sure about.
> 
> "Service" - not sure I like this definition (and there is a 
> problem with
> definition dependencies, "service: the component that 
> mediates access to
> a 'resource'" where a 'resource' is defined as "component 
> that provides
> or hosts 'services'").

I agree the service definition relies heavily on the scope
of this document i.e., service = authorization service. 

I thus changed the separate service definition to refer to the
Authorizaiton Service definition in the document. We do not attempt 
to define the service term in the general sense.

> 
> "Trust" - why does this include taking actions? Should it not be
> 
> "The willingness to accept the risk associated with assertions made by
> other parties"

This request is in line with a comment that Jim Basney made via griforge.
I accept Jim's version: 

"The willingness to accept the risk associated with actions based on 
assertions by other parties."

 
 


The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/go/projects.ggf-editor/discussion.info_authorization_glossary.comments_from_mailing_list at Sun, 06 Nov 2022 09:03:04 GMT