RE: [higgins-dev] Proposedupdates toHiggins ArchitecturediagramperAustin

["Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>]

Raj would like to see us introduce a new Component that i-card providers could optionally use to do what he calls attribute to claims transformation.

 

Here are the benefits(+)/costs(-) as I see them:

+ allows an i-card provider to not be dependent on IdAS (i.e. using an IdAS CP to perform this transformation)

- introduces complexity: another component in the architecture, another code base to maintain

- defining and maintaining a new interface (this might not be true depending on the design)

 

Are there other benefits?

Other costs?

 

-Paul

 

---

From: higgins-dev-bounces@xxxxxxxxxxx [mailto:higgins-dev-bounces@xxxxxxxxxxx] On Behalf Of Nataraj Nagaratnam
Sent: Tuesday, May 08, 2007 11:50 AM
To: Higgins (Trust Framework) Project developer discussions
Cc: Higgins (Trust Framework) Project developer discussions; higgins-dev-bounces@xxxxxxxxxxx
Subject: Re: [higgins-dev] Proposedupdates toHiggins ArchitecturediagramperAustinF2F discussions

 

Context (Attribute) Providers could act as ClaimsProvider. But saying Context(Attribute)Provider is the only way to get claims and only ClaimsProvider for Higgins .. is the limitation I would like to see if we can avoid.



"Tom Doman" <TDoman@xxxxxxxxxx>

"Tom Doman" <TDoman@xxxxxxxxxx>
Sent by: higgins-dev-bounces@xxxxxxxxxxx

05/08/2007 11:18 AM

Please respond to
"Higgins \(Trust Framework\) Project developer discussions" <higgins-dev@xxxxxxxxxxx>

To	"Higgins (Trust Framework) Project developer discussions" <higgins-dev@xxxxxxxxxxx>
cc
Subject	Re: [higgins-dev] Proposedupdates toHiggins ArchitecturediagramperAustin F2F discussions

 

Yep, not sure Duane was saying that wasn't true also ... but I digress ...  In Higgins, we already have Context Providers which could act as Claim Providers as well.  Through the _javascript_ CP, _javascript_ could be used to transform, remove, and\or create claims from the Digital Subjects returned.  Call them Digital Identities at that point but the interface conveniently stays the same.  BTW, tangentially, _javascript_ is the only implemented choice so far, but we could use any number of policy or other languages in a Context Provider to achieve the same thing.

Tom

>>> Anthony Nadalin <drsecure@xxxxxxxxxx> 5/8/2007 8:41 AM >>>
Well not always true as there are claims that are or can be attibutes like birthdate

-----------------
Sent from my BlackBerry Handheld.


----- Original Message -----
From: "Duane Buss" [DBuss@xxxxxxxxxx]
Sent: 05/08/2007 08:20 AM
To: "discussions', 'Higgins (Trust Framework) Project developer" <higgins-dev@xxxxxxxxxxx>
Subject: RE: [higgins-dev] Proposed updates toHiggins ArchitecturediagramperAustin F2F discussions



    Claims and attributes are different, and one should always be able to tell the difference between the a claim and an attribute.  However I don't believe that necessitates that they must be represented by different objects and accessed via different interfaces.

    As an example consider a relying party, it may have multiple authentication methods, some of which present tokens containing attested claims, some of which result in presenting an identity and credentials.   When it is time to authorize  the client, the relying party implementer is faced with multiple possibilities: different authorization paths depending on the authentication mechanism, transform the identity and credential to claims (via the Higgins STS of course), or transform the external claims to their internal attribute equivalents.

    The line between claims and attributes becomes especially blurry when we start transforming claims.   At that point is it still a claim, or is it now an attribute, or is it some third thing?

    I personally believe that there will be instances where claims and attributes will need to coexist and both be part of trust and authorization decisions.   That the evaluation engine at that authorization decision point doesn't want to have to have different objects, interfaces ,or models for accessing these properties, that would be madness.

    Once again, claims and attributes are different, and one should always be able to tell the difference between the a claim and an attribute.  I agree that IdAS may not be 'THE' source of claims or attributes, but there should be a common interface that people can use to operate with either type of property.

Duane

>>>
From: Nataraj Nagaratnam <natarajn@xxxxxxxxxx>
To:"Higgins (Trust Framework) Project developer discussions" <higgins-dev@xxxxxxxxxxx>
CC:<higgins-dev-bounces@xxxxxxxxxxx>, "'Higgins (Trust Framework) Project developer discussions'" <higgins-dev@xxxxxxxxxxx>
Date: 5/8/2007 7:26 AM
Subject: RE: [higgins-dev] Proposed updates toHiggins    ArchitecturediagramperAustin F2F discussions

Digital Subject contains list of attributes not claims ! Like we discussed many times in the past and also in the recent F2F, claims could be based on attributes of DigitalSubject, they could be derived from attributes (but not necessarily the attributes themselves), or could be derived from some other claim assertions from other IPs/RPs

I would like us to discuss this ... as we continue to treat attributes and claims to be synonymous and IdAS to be 'THE' source of claims as well. I am not sure that is always true.

Raj


"Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>


"Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>
Sent by: higgins-dev-bounces@xxxxxxxxxxx
05/08/2007 08:48 AM Please respond to
"Higgins \(Trust Framework\) Project developer discussions" <higgins-dev@xxxxxxxxxxx>


To
"'Sergey Lyakhov'" <slyakhov@xxxxxxxxxxxxxx>


cc
"'Higgins \(Trust Framework\) Project developer discussions'" <higgins-dev@xxxxxxxxxxx>


Subject
RE: [higgins-dev] Proposed updates to Higgins ArchitecturediagramperAustin F2F discussions




SergeyL wrote:
>
> > But thinking out loud here...if I were designing the CPIP I think I
> would
> > have stored within the CPIP object itself a URI field: "<ContextId> /
> > <SubjectId>", where ContextId points to, say, a Jena-backed Context. And
> > SubjectId to a DS within it (the SubjectId can be null if there is only
> > one
> > DS in the Context, BTW).
>
> Yes, IdAS-based CPIP is implemented in this way. Personal I-Card contains
> a
> reference (ContextId + SubjectId) to a Digital Subject which contains a
> list
> of claims ().

Good.

> On the other hand, STS shouldn't use this reference, if we
> will need to develop some non-IdAS based CPIP.

Why do we need to develop a non-IdAS-based CPIP?

> There is a method
> ICard.getClaims(), and it could be used by STS in case of Personal ICard.
>
> Thanks,
> Sergey Lyakhov
> ----- Original Message -----
> From: "Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>
> To: "'Higgins (Trust Framework) Project developer discussions'"
> <higgins-dev@xxxxxxxxxxx>
> Cc: <higgins-dev-bounces@xxxxxxxxxxx>
> Sent: Tuesday, May 08, 2007 2:45 AM
> Subject: RE: [higgins-dev] Proposed updates to Higgins Architecture
> diagramperAustin F2F discussions
>
>
> >
> >
> > Mike wrote
> >>
> >> Paul,
> >>
> >> We are trying to figure out a few things wrt attributes for "personal"
> >> i-Cards.
> >> In "managed" mode, the STS pulls attribute values for claims from a
> >> Context via Context Provider/IdAS.
> >> In "personal" mode, it is unclear where the attibute (and master key)
> >> values are - are they in the i-Card Store?
> >
> > SergeyL has been designing and developing the CardSpace Personal i-card
> > provider (CPIP). So he should answer rather than I. The doc he wrote
> here
> > [1] is extremely vague (and should be fixed).
> >
> > But thinking out loud here...if I were designing the CPIP I think I
> would
> > have stored within the CPIP object itself a URI field: "<ContextId> /
> > <SubjectId>", where ContextId points to, say, a Jena-backed Context. And
> > SubjectId to a DS within it (the SubjectId can be null if there is only
> > one
> > DS in the Context, BTW). That way I could pass this ContextId/SubjectId
> > reference along in the RST to the TS and the TS could open this
> > ContextId/SubjectId. I would have separately developed a parser to
> import
> > the MSFT-defined personal i-card format. And I'd have separately
> developed
> > a
> > generator to export to this same format.
> >
> >> It seems as if there is a need for the iCard Store for personal i-Cards
> >> to
> >> be accessible via Context Provider/IdAS.
> >> If so the lines aren't drawn to reflect that.
> >
> > As mentioned I'm assuming that the runtime storage of CPIP attributes is
> > in
> > IdAS. So only the existing blue link from the CPIP i-card provider to
> the
> > IdAS Component is required.
> >
> > [1] http://wiki.eclipse.org/index.php/CardSpace_Personal_I-Card_Provider 
> >
> > <snip>
> >
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
>
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev 

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev