Please disregard my earlier e-mail. My PC crashed while I was writing the e-mail and I didn't even realize that it had been sent until Dervla replied. Our next conference call is scheduled for June 08, 9-10:30 PDT. Agenda: * Confirm April 27 minutes * Review the rest of John Tolbert's use cases that he went over during the April 27 conf call Call In Details Skype: +9900827044630912 US Dial-In: +1-201-793-9022 Room Code: 4630912 Fyi, Paul Madsen and his group are hosting an AuthZ workshop at Burton Catalyst Tuesday, July 27, 12-2:30pm As I understand it, they will be looking at trends in standards associated with AuthZ, and they are interested in use cases that may require extension or modification to them. We could help the group by submitting some of our more interesting examples for their consideration, prior to the workshop. In other words, John and I would appreciate any UC examples you care to submit to our website: http://kantarainitiative.org/confluence/display/ias/Home This is, tentatively, the workshop's objective: As authorization generally follows authentication in a given online transaction, standardization of authorization has generally followed that of web authentication standards like SAML, WS-Federation, and OpenID. This workshop will explore developments & trends in authorization standards, including OAuth (a community initiative now being standardized within the IETF), User-Managed Access (evolving within the Kantara Initiative) and XACML (an OASIS standard). We'll also look at some authorization use cases that may imply new requirements of these protocols. Through a combination of presentations, panels and demonstrations - we'll explore how these existing & emerging authorization standards fit into the enterprise & social web infrastructure.
From my own experience in the financial sector, there are some very challenging use cases coming out of new thinking about dynamic authentication/authorization across multiple channels eg. Online, ABM/ATMs, IVR, contact centres. That is, authorization levels are modulated by risk calculations that use input parameters such as customer assurance index levels, channel the request comes through, self-imposed preferences (e.g. I don't want to allow money transfers over my online banking), and even the location of the channel device. And how are we to manage such authorizations with respect to banking products/applications? Is it efficient to build dynamic entitlements on, say, a security token basis? Or is it better for policy to help determine a kind of filter (a filter of entitlements to app services) that would be enforced in the mid-tier between the channel and the back-end product? Some of our major applications have extremely high transaction rates - can security tokens with their complex protocols operate in such an environment? Another thing to consider is that, while the term 'adaptive authentication' is common, adaptive authorization isn't. In fact, once an initial authentication occurs over a channel, subsequent AuthZ events, triggered by a customer trying to do something, are highly inter-related with AuthN. For one thing, a high assurance (at registration time, because of his or her bona fides submitted to the bank) customer initially authenticating with strong credentials should get a wider set of entitlements than if that customer had a lower assurance index. We are in the process of figuring out how to design such a matrix.
WG-IAS mailing list WG-IAS@kantarainitiative.org<mailto:WG-IAS@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-ias Gavin Illingworth Enterprise Architecture, Technology Development | BMO Financial Group | 120 Bloor St E, Toronto, ON M4W 3X1 Telephone: 416.513.5652 E-mail: gavin.illingworth@bmo.com<mailto:gavin.illingworth@bmo.com>