AuthZ WG Home Documents: Framework Glossary Requirements Archive: GGF8 Minutes GGF8 Agenda Telco 2003-06-03 Telco 2003-05-27 Telco 2003-05-20 GGF7 #1 - GGF7 #2 GGF7 Agenda Telco 2003-02-26 Telco 2003-02-19 Telco 2003-02-12 Telco 2003-02-07 BOF Agenda BOF Minutes BOF Handout Related Efforts Current users: guest (web) guest (web) guest (web) |
Category: Informational Authorization Frameworks and Mechanisms WG Dane D. Skow [dane@fnal.gov] January 2003, (for revision see bottom of page) Glossary for Authorization FrameworkStatus of this MemoThis memo provides information for the Grid community. It does not define any standards or technical recommendations. Distribution of this memo is unlimited. AbstractThis memo serves as the glossary for terms used in the GGF Authorization Frameworks and Mechanisms Working Group. Terms and Definitions reference similar uses in the Internet Engineering Task Force (IETF) documents whereever possible to facilitate cross comparisons. Copyright NoticeCopyright © Global Grid Forum (2003). All Rights Reserved. ContentsAbstract 1. Introduction ................................................ 2 2. Glossary .................................................... 3 3. Security Considerations Author Information Full Copyright Statement ....................................... References ..................................................... 1. Introduction This document is a glossary of terms to be used in the AuthZ Working Group as a baseline for documents it creates. This document uses the terms 'MUST', 'SHOULD' and 'MAY', and their negatives, in the way described in RFC 2119 [1]. 2. Glossary AAA -- Authentication, Authorization, and Accounting Anonymous -- Authentication -- The process by which one party proves to an independent party its right to assert a given Identity. Authentication Token -- something which the possessor can present to another party as evidence that the possessor successfully authenticated to the authority. Authentication Method -- the protocol used to accomplish authentication (does this include authentication of the authentication tokens ?) Authorization -- the process by which the receiver of a request determines whether the request should be permitted. Authorization Token -- something which the possessor can present to another party as evidence that the possessor has been given some authority by the authority. Authorization Method -- the protocol used to accomplish authorization (does this include authentication of the authentication tokens ?) Attribute Certificate -- structure containing authorization attributes which is digitally signed using public key cryptography. [2] Contract Relationship -- a relation established between two or more business entities where terms and conditions determine the exchange of goods or services. [2] Distributed Service -- a service that is provided by more than one Service Provider acting in concert. [2] Dynamic Trust Relationship -- a secure relationship which is dynamically created between two entities who may never have had any prior relationship. This relationship can be created if the involved entities have a mutually trusted third party. Example: A merchant trusts a cardholder at the time of a payment transaction because they both are known by a credit card organization. [2] Identity -- A defined name assigned by an Identity Authority guaranteed to be unique within the Authority's namespace. It may refer to one particular person, process, service, or machine. Identity Authority -- the authoritative source of Identities within a defined namespace. (Overlaps in identity namespaces are resolved how ?) Policy Decision Point (PDP) -- The point where policy decisions are made. [2] Policy Enforcement Point (PEP) -- The point where the policy decisions are actually enforced. [2] Psuedonymous -- Relying Party -- the party in an exchange which relies on information expressed in authentication or authorization tokens. Resource Manager -- the component of an AAA Server which tracks the state of sessions associated with the AAA Server or its associated Service Equipment and provides an anchor point from which a session can be controlled, monitored, and coordinated. [2] Resource Owner -- the entity which has legal ownership (or acts on behalf of the legal owner) of the resource. Resource Site -- the organization that hosts a resource, often, but not necessarily, acting as agent to the resource owner and employing the resource manager. Roaming -- An authorization transaction in which the Service Provider and the User Home Organization are two different organizations. (Note that the dialin application is one for which roaming has been actively considered, but this definition encompasses other applications as well.) [2] Security Association -- a collection of security contexts, between a pair of nodes, which may be applied to protocol messages exchanged between them. Each context indicates an authentication algorithm and mode, a secret (a shared key, or appropriate public/private key pair), and a style of replay protection in use. [2,3] Service Equipment -- the equipment which provides a service. [2] Service Provider -- an organization which provides a service. [2] Static Trust Relationship -- a pre-established secure relationship between two entities created by a trusted party. This relationship facilitates the exchange of AAA messages with a certain level of security and traceability. Example: A network operator (trusted party) who has access to the wiring closet creates a connection between a user's wall outlet and a particular network port. The user is thereafter trusted -- to a certain level -- to be connected to this particular network port. [2] User -- the entity seeking authorization to use a resource or a service. [2] User Home Organization (UHO) -- An organization with whom the User has a contractual relationship which can authenticate the User and may be able to authorize access to resources or services. [2] 7. Security Considerations There are no additional security considerations addressed in this document. Author InformationDane Skow Fermi National Accelerator Laboratory Batavia, IL 60510 Phone: +1 630-840-4730 Fax: +1 630-840-6345 EMail: dane.skow@fnal.gov Editor: Dane D. Skow [dane@fnal.gov] Intellectual Property StatementThe GGF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the GGF Secretariat. The GGF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this recommendation. Please address the information to the GGF Executive Director. Full Copyright NoticeCopyright (C) Global Grid Forum (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the GGF or other organizations, except as needed for the purpose of developing Grid Recommendations in which case the procedures for copyrights defined in the GGF Document process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the GGF or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE GLOBAL GRID FORUM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." References[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Vollbrecht, et al., "AAA Authorization Framework", RFC 2904, August 2000. [3] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. |
| /public/users/mlorch/Grid-AuthZ/Glossary | Login | Web Editor | Full Editor |
| Last modified 6/24/03 1:01 PM by mlorch (history) Site contents | |