Tuesday, April 08, 2008

Blogging RSA 2: Craig Mundie from Microsoft namechecks SecPal A couple of years ago i spoke alongside Andy Gordon and Cedric Fournet from Microsoft Research (Cambridge, UK) at a conference in France. At that time, they were working on validation of WS-Policy policies, detecting logical faults and inconsistencies, but they were also looking at mechanisms to express authorization and RBAC information in general. It is good to see their work mentioned this morning by Craig Mundie in his RSA Conference Keynote. He mentioned in a framework called SecPAL    ( read: http://research.microsoft.com/~moritzb/docs/beckerfournetgordon_authorizationlanguage.pdf ). I have some questions about SecPAL though. It overlaps with XACML, but it is designed in a more "natural language" way than XACML (anyone who has read XACML will know what i mean about that). But, nobody in their right mind would create or edit policies by manually editing XACML. XACML import and export (and policy import and export in general) is important in large networks. Policy silos are just as bad as identity silos. It would be possible to map from SecPAL to XACML, i can see, but right now nothing does that (right?). That is a gap right now. One great thing about SecPAL is that it is built on top of research into developing policies which are logical and useful. Policy languages often give you "enough rope to hang yourself", and they have thought about this in advance. That's all good. But i remain worried about the overlap with XACML. Maybe it was telling that teh example used by Craig Mundie, doctor access to healthcare, was very similar to the example used in the XACML Specification. Looking forward to seeing where Microsoft goes with SecPAL.  11:34:35 AM    comment []

Blogging RSA: The "Identity Router" - a neat concept Identity Management is plagued by analogies which are not quite correct, resulting in tremendous confusion. For example, a digital certificate is a little bit like a passport, but not quite...  Once in a while, though, a good analogy crops up. One such example was used by Andre Durand yesterday, the "Identity Router". This phrase neatly gets across the ability to join identity information from two domains together. "Identity Bridge" might also apply. XML Gateways are natural "identity routers". They can take one token, used in one domain, and map it to a token used in a differnet domain. It is best to use standards for to achieve this. Key standards here include SAML (to encapsulate the identity information sent between domains) and WS-Trust (to exchange one form of security token to another). In the Vordel XML Gateway we provide the building blocks to do this mapping, to create "identity routing" nodes. In the example below, the Gateway is using a policy which makes use of WS-Trust to convert from a WS-Security UsernameToken (used in one domain) to a SAML token (which can be sent across the network to another domain). At the other domain, a local XML Gateway can use the SAML token to map the user to their local identity there. The beauty of using the standards is that customers are not locked into proprietary methods of doing this mapping.   11:19:21 AM    comment []