[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
RE: [higgins-dev] Updating Password with IdAS
|
Jim, Drummond,
Thanks for your thoughts on this. I
believe you get the gist of what I am trying to say. (I do so much better
with a whiteboard and markers :-). I do like current direction.
Jim wrote:
>"First, we have to tell ourselves
that one cannot update the credentials of an authn identity which is not
a subject in a context, and that's ok -- consumers will have to deal with
it."
I guess I would word this as, the application
needs to use the CP of the authn identity to update the materials of that
identity.
It does not follow (at least for me)
that because the CP wants to authentication of subjects outside of its
context that is should be responsible and capable of managing those credentials.
For example, I may have a database implementation of a CP and allows
Kerberos authentication. The identity for the authentication may reside
in a directory used by the Kerberos Master Authentication Server. The database
CP should not manage the credentials for the Kerberos directory. The
application should use the CP of the Kerberos directory to update Kerberos
credentials. In addition, some repositories may contains workflow processes
and protocols that would make it difficult for a CP of another type to
manage the authn materials of subjects in another CP.
Jim also wrote:
>"Next, we should decide whether
we need a special operation like IDigitalSubject.updateCredentials, or
simply hijack the existing update operations."
I vote for hijacking update. I
elaborated more below.
Drummond wrote:
> ". . . the
authentication identity is always represented as a subject in the context.
. . . So it still follows the rule that
the subject must be represented in the context."
Authentication of credentials and the
management of those credentials are two different things with different
requirements for input and output. It is important that the authentication
("open") be able to allow identities from other contexts. Kerberos,
Idemix, OpenID and trusted federations, are good examples of identities
that may not be subjects in the specific CP, but the CP may allow certain
permissions to these authenticated identities, or be able to map these
identities to subjects within the CP.
JAAS is a good model for the "open",
because the Login Module plugability removes the dependancy for the identity
to be a subject in the CP. As long as the JAAS stack can produce a JAAS
Subject that can be consumed by the CP, it does not matter to the CP how
the authentication is done, or where the requesting identity originated.
A deployment of a CP could allow the customer to plug-in their own login
modules using authentication protocols and identity types that are unknown
to the CP at the time of implementation. Every CP should provide
a default Login Module that uses the authn materials of its own subjects
for authentication. We may be able to write this module once for all CPs
that support authn credentials on their digital subjects.
Back to the management API:
As for management of the authn materials.
Each CP needs to allow the management of authn materials associated
to the digital subjects contained in the CP (assuming the CP supports authn
materials as attributes on its subjects). I agree that it would be best
to use the existing APIs to manage the authentication materials. Authentication
materials could be identified by attribute type, where differences in behavior
can be defined by type. For example, an attribute type of authnMaterialsPassword
is write only (returns a null value on read, or the results are unpredictable).
A value compare of a authnMaterialsPassword type will compare the
hash value of the input string with the attribute value. etc. If there
are other requirements, like old password, then this would be passed in
as "control" meta data.
If the Authn materials are treated as
attributes on the subject, then they can have the meta data required for
the lifecycle management (last changed, expiration date, policy, etc.)
In my mind, it simplifies things to
separate out authentication as a JAAS like implementation that can be developed
separately from the CP. The CP does what a CP does, manages attributes
and subjects. The default login module for "open" can be
implemented using existing IdAS apis.
Thanks for your consideration,
David
David Kuehr-McLaren
Tivoli Security
919.224.1960
"Drummond Reed"
<drummond.reed@xxxxxxxxxxxx>
Sent by: higgins-dev-bounces@xxxxxxxxxxx
07/12/2007 09:44 PM
Please respond to
"Higgins \(Trust Framework\) Project developer discussions"
<higgins-dev@xxxxxxxxxxx> |
|
To
| "'Higgins (Trust Framework) Project
developer discussions'" <higgins-dev@xxxxxxxxxxx>
|
cc
|
|
Subject
| RE: [higgins-dev] Updating Password
with IdAS |
|
Jim,
I love it when someone answers
their own question to help lead the discussion forward ;-)
FWIW, I think you are leading
in the right direction. The world is much simpler if, as you put it, the
authentication identity is always represented as a subject in the context.
This seems like a reasonable constraint, similar to saying you have to
register at a site in order to authenticate at a site. A contrarian might
point to the OpenID “new user” use case where you can show up at a site
at which you’ve never registered and login with your OpenID, but in fact
behind the scenes that site is performing a “provisional authentication”
followed by (if the authentication is successful) a new user registration
(with a recording of the OpenID identifier as the “credential”). So it
still follows the rule that the subject must be represented in the context.
=Drummond
From: higgins-dev-bounces@xxxxxxxxxxx
[mailto:higgins-dev-bounces@xxxxxxxxxxx] On Behalf Of Jim Sermersheim
Sent: Thursday, July 12, 2007 4:40 PM
To: 'Higgins (Trust Framework) Project developer discussions'
Subject: RE: [higgins-dev] Updating Password with IdAS
I may as well move in the direction I think
this will go and start exploring more questions.
Assuming no one else feels compelled to
have this operation at the IContext layer, and instead have it at IDigitalSubject,
let's try to minimize the issues below.
First, we have to tell ourselves that one
cannot update the credentials of an authn identity which is not a subject
in a context, and that's ok -- consumers will have to deal with it.
Next, we should decide whether we need a
special operation like IDigitalSubject.updateCredentials, or simply hijack
the existing update operations.
Using existing operations means keeping
the API set minimal. Introducing an updateCredentails operation allows
us to do things like specify old credentials, and pass instructions regarding
the generation of credentials.
Another useful aspect of introducing updateCredentials
is that it allows us to still maintain some symmetry with open. Where
do we need this? Today we need it when updating the cardKeyHash credential.
The manager of cardKeyHash should present the values as a triplet
as they do when calling open with an AuthNSelfIssuedMaterials. The
manager cannot pass the cardKeyHash value -- especially if its passed as
an "oldCredential" assertion.
This alleviates the third problem below,
and I suppose we could agree that the first two problems are acceptable.
Jim
>>> "Jim Sermersheim" <jimse@xxxxxxxxxx> 7/12/07
4:46 PM >>>
In essence, you seem to be arguing against
what was suggested in http://dev.eclipse.org/mhonarc/lists/higgins-dev/msg02775.html.
The request is that there be a way to update
any kind of authentication materials (not just passwords).
It felt natural to me to draw symmetry between
the validation of authentication materials (which is what we do with IContext.open),
and the management of authentication materials.
You argue that when the authentication identity
is not represented as a subject in the context, then management of that
identity's credentials should not be done using IdAS. And that when
the authentication identity is represented as a subject, then the management
of that identity is done by operating on the IDigitalSubject.
My worry is that this creates two problems
for the IdAS consumer. First, they now have to figure out whether
or not the authentication identity to be managed exists as a subject in
the context. Second, they have to know how to use one or more non-IdAS
management APIs to deal with cases where the identity falls outside the
context.
The IdAS consumer doesn't have to call different
APIs to authenticate depending on the nature/location of the authn identity.
Do we really want them to have to know and code to different APIs for management?
There's one other issue for the consumer.
Even when the authn identity exists as a subject in the schema, nothing
says that the data held in the authentication materials passed to open
looks or feels anything like the data held on the corresponding digital
subject. Unless we mandate to CPs that there is a 1:1 relationship
between the authn data passed to open and that held in the subject's attributes,
the consumer may need to know how to map between the two.
If there is truly no use case where the
authentication identity is not also represented as a subject in the context,
then let's change open to take a subject ID and credentials. I think
people believe there are use cases though. I think there are kerberos and
saml assertion based use cases where this may be true. In essence,
someone may be able to call IContext.open() where the authentication materials
constitute a trusted assertion, or something that can be proven and trusted
without there being any subject in the context being represented as the
entity being authenticated.
You may be right, it may be best to manage
credentials by performing operations on a digital subject. And the
problems listed above may not actually be of any consequence if we do it
that way.
What do others think?
Jim
>>> David Kuehr-McLaren <dkuehrmc@xxxxxxxxxx> 7/12/07 9:55
AM >>>
Jim,
Thanks for the response. Some further comments and responses to your
questions.
... snip...
>>-- Are the CPs required to provide generated IAuthNAttributesMaterials
when newMaterials is null and oldMaterials is specified? Not all
registries have that capability to generate credentials. What exception
should the CP throw if it can not generate materials? NotImplementedException
does not seem to fit quite right.
>I agree, an exception should be expected when the Context Provider
or the Context's policy prevents this. Should we add a generic OperationNotPermittedException
or something more specific like UnableToGenerateAuthNMaterialsException?
Because the sematics of null newMaterials and oldMaterials has the meaning
of "generate materials", then a more generic exception would
be fine, because the application should know the meaning. I am hung up
on the word "Permitted". It makes me think authorization. I would
suggest OperationNotImplemented
>>-- How can I set the metadata of the attribute that will ultimately
hold the IAuthNAttributesMaterials for the specific IDigitalSubject? When
I reset a password, I may want to pre-expire a password, so that it must
be changed on first use.
>There's no requirement that the authentication identity be a digital
subject in the context.
I agree with this statement for "open". A context can accept
a connection by an identity that is defined outside of the context. But
I have difficiculty understanding this for "update". What
other object in the Context can be updated with the new materials if not
a Digital Subject? Can the Context have an internal set of identities
that are not represented as DigitalSubjects? Can you give me an example
of this?
>Further, there's no requirement that any/all of the other authentication
materials (including a password) be represented by an attribute (even when
the authentication identity is a digital subject in the context). I
think that if there are capabilities like you mention above (pre-expire
a password), then the authentication materials object needs to be specified
in such a way as to allow that data to be conveyed.
How would authentication materials be persisted and retrieved? In
order to query metadata about the authn material (last changed, expiration,
policy), management apps would need to be able to get oldMaterials from
a DigitalSubject from attributes with the type of IAuthNAttributesMaterials.
Also, there would need to be a way to call updateAuthNMaterials
so that the metadata can be updated, without updating or nulling out the
actual authn materials.
>>-- How does the application get the password strength policy before
attempting to call updateAuthNMaterials or after a call to updateAuthNMaterials
fails? Have you considered a defined exception for a failure to
update due to a policy violation?
>We don't yet have any kind of capabilities or policy discovery methods
that would allow this. I agree we need those kinds of methods, and
can add them separately from this one. In terms of the exception,
I agree something would be useful but I'm not sure how general (PolicyException)
or specific (PasswordStrengthException) to go.
I always envisioned the password strength policy as metadata that could
be queried from the password attribute of a DigitalSubject. The policy
for each DigitalSubject and each password attribute could be different.
>>-- I am OK updateAuthNMaterials at the level of the IContext, but
apps will still need to be able to query the value and metadata of AuthNMaterials
attributes at the IDigitalSubject level.
>This would only be possible when the authn identity is also a digital
subject. If that is the case, then the application would need to
know what those attributes are.
This splits the interface for updating across IContext and IDigitalSubject,
where the materials are updated at the IContext level, and the metadata
about the materials is accesses on the IDigitalSubject.
>>Apps need to be able to query meta-data (e.g. expiration date,
last changed date, password history, password policy, etc.). If supported
by the repository, the ability to read the hashed or encrypted value is
also useful for migrating or exporting digital subjects to other registries,
while preserving the authn materials.
>Would you want to be able to do this regardless of whether or not the
authentication identity is represented as a digital subject?
I am having a hard time understanding the use case where the identity is
not represented as a DigitalSubject in some Context and can have a managed
set of authn materials. I think my answer is yes, but I do not understand
the non-DS use case where authn materials can be updated.
>>-- This comment is nit: Using the convention of specifying a value
for oldMaterials and null newMaterials to cause IAuthNAttributesMaterials
to be generated seems a little awkward to me, because there are no old
materials in use.
> I guess I'm assuming that authentication
materials may (even typically) consist of two kinds of data: non-secret
data which is used more to specify the authentication identity, and secret
data which is used to verify that identity. In cases where this is
true (such as authentication materials which consist of username and password),
the oldMaterials may be partially populated (with the identity data --
like username) when the caller doesn't need to specify the secret data
for whatever reason.
>>New materials may need to be passed in as part of the oldMaterials
object, in order for the CP to be able to generate the new IAuthNAttributesMaterials.
The example I can think of is passing in a certificate request as oldMaterials
to cause the CP to generate, store, and return a certificate. This
maybe an invalid use case.
>Hmm, I can see there being a case like that (caller needs to provide
a little bit of data -- like a seed -- such that the generated materials
may be produced). Well, do we want to provide for that now, or push
that off until we refactor IContet.open (as well as this method)?
This still works using oldMaterials, if the oldMaterials object can contain
new data. Like I said, a nit about semantics.
However, this brings up the assumption that the interface for authenticating
to a Context should be the same or similar to the interface for managing
the authn materials. They are not related and have different requirements.
A JAAS like interface for open makes perfect sense. However, JAAS
Subject does not contain the capabilities for managing the life cycle of
authn materials used for credentials. I think you actually need
other APIs, like verifyAuthNMaterials in order to support creating a JAAS
subject.
>From a management perspective, my assumption is that IdAS Digital Subject
is the interface I would use to manage the authn materials (passwords,
keys, certificates, tokens. etc.) for a user, application, or device. If
the authentication identity is managed outside of IdAS, then I would be
using some other API to managed the authn materials.
Thanks for your consideration here,
David_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev