pki

Enterprise Architecture: From Incite comes Insight...: PKI and SAML - Friend or Foesbody{margin:0px;padding:0px;background:#f6f6f6;color:#000000;font-family:"Trebuchet MS",Trebuchet,Verdana,Sans-Serif;}a{color:#DE7008;}a:hover{color:#E0AD12;}#logo{padding:0px;margin:0px;}div#mainClm{float:right;width:66%;padding:30px 7% 10px 3%;border-left:dotted 1px #E0AD12;}div#sideBar{margin:20px 0px 0px 1em;padding:0px;text-align:left;}#header{padding:0px 0px 0px 0px;margin:0px 0px 0px 0px;border-top:1px solid #eeeeee;border-bottom:dotted 1px #E0AD12;background:#F5E39E;color:white;}h1,h2,h3,h4,h5,h6{padding:0px;margin:0px;}h1 a:link {text-decoration:none;color:#F5DEB3}h1 a:visited {text-decoration:none;color:#F5DEB3}h1{padding:25px 0px 10px 5%;border-top:double 3px #BF5C00;border-bottom:solid 1px #E89E47;color:#F5DEB3;background:#DE7008;font:bold 300% Verdana,Sans-Serif;letter-spacing:-2px;}h2{color:#9E5205;font-weight:bold;font-family:Verdana,Sans-Serif;letter-spacing:-1px;}h3{margin:10px 0px 0px 0px;color:#777777;font-size:105%;}h4{color:#aa0033;}h6{color:#B8A80D;font-size:140%;}h2.sidebar-title{color:#B8A80D;margin:0px;padding:0px;font-size:120%;}#sideBar ul{margin:0px 0px 33px 0px;padding:0px 0px 0px 0px;list-style-type:none;font-size:95%;}#sideBar li{margin:0px 0px 0px 0px;padding:0px 0px 0px 0px;list-style-type:none;font-size:95%;}#description{padding:0px;margin:7px 12% 7px 5%;color:#9E5205;background:transparent;font:bold 85% Verdana,Sans-Serif;}.blogPost{margin:0px 0px 30px 0px;font-size:100%;}.blogPost strong{color:#000000;font-weight:bold;}#sideBar ul a{padding:2px;margin:1px;width:100%;border:none;color:#999999;text-decoration:none;}#sideBar ul a:link{color:#999999;}#sideBar ul a:visited{color:#999999;}#sideBar ul a:active{color:#ff0000;}#sideBar ul a:hover{color:#DE7008;text-decoration:none;}pre,code{color:#999999;}strike{color:#999999;}.bug{padding:5px;border:0px;}.byline{padding:0px;margin:0px;color:#444444;font-size:80%;}.byline a{border:none;color:#968A0A;text-decoration:none;}.byline a:hover{text-decoration:underline;}.blogComments{padding:0px;color:#9E5205;font-size:110%;font-weight:bold;font-family:Verdana,Sans-Serif;}.blogComment{margin-top:10px;font-size:100%;font-weight:normal;color:black;}.blogComments .byline{padding-bottom:20px;color:#444444;font-size:80%;font-weight:normal;display:inline;margin-right:10px}.deleted-comment {font-style:italic;color:gray;}.comment-link {margin-left:.6em;}#profile-container { }.profile-datablock { }.profile-img {display:inline;}.profile-img img {float:left;margin-right:5px;}.profile-data strong { }#profile-container p { }#profile-container .profile-textblock { }.profile-link a:link {color:#999999;text-decoration:none;}.profile-link a:active {color:#ff0000;text-decoration:none;}.profile-link a:visited {color:#999999;text-decoration:none;}.profile-link a:hover{color:#DE7008;text-decoration:none;}@import url("http://www.blogger.com/css/blog_controls.css"); @import url("http://www.blogger.com/dyn-css/authorization.css?targetBlogID=18160499"); @import url(http://www.blogger.com/css/navbar/classic.css); div.b-mobile {display:none;} http://www.one.orgEnterprise Architecture: From Incite comes Insight...James McGovern is an industry thought leader whose focus is on the human aspects of technology around open source, SOA, software security, enterprise architecture and agile software development.The opinions expressed herein may or may not represent my own personal opinions and definitively do not represent my employer's view in any way...Friday, March 07, 2008 PKI and SAML - Friend or FoesPatrick Harding comments that wide-spread use of user certificates never materialized and how SAML is a better model...I figured I would analyze his posting to see if alternative perspectives can emerge...As such we at Ping have struggled to justify the value of SAML in these entrenched PKI communities that already rely on user digital certificates for authentication and cross-domain web SSOMaybe the issue is that Ping is attempting to do this as part of a sales process and is attempting to bite off more than it can chew. Consider that the pharmaceutical industry uses digital certificates extensively and the decision was made by a consortium of large entitities such as Pfizer, Merck and others. Of course a company such as Ping would love to think of the sales opportunity of selling to this demographic but reality states that the sales model may actually be the problem.Their issue is that digital certificates are not well suited for conveying directory based attribute information, such as user role and group designations, that is used for making authorization decisions.Have you considered that the problem might not be in discussing the limitations of digital certificates and instead may require a discussion around the limitations of enterprise applications? Do you think it is possible that Pfizer could allow Merck to access their Documentum infrastructure by expressing runtime authorization via a standard protocol? The answer is no as many software vendors that are part of the ecosystem have busted authorization models. It becomes difficult to assert something at runtime if software is written with the notion of provisioning upfront. For example, in Documentum, I only have two choices. I can either have a proxy user or I have to register each and every user in advance. There is no way to dynamically assert identity without provisioning/syncronization. For federation to work in this scenario, you don't need to sell the enterprises, you need to help other software vendors understand the importance of changing their code.While they will continue to authenticate users and systems with certificates, they plan to leverage SAML Assertions to communicate user attributes between applications in different domains. These attributes will be used to make authorization decisions.Maybe the problem is that you are attempting to constrain the conversation to something that may not work or be sub-optimal for the vertical you are speaking with. Yes, one can use attributes to make authorization decisions, but there are many scenarios where SAML carrying XACML makes much more sense. Not all authorization decisions fit into name/value pairs nor is it sane to attempt to shove it in.# posted by James McGovern @ 7:30 AM Links to this post: See links to this post posted by @ Create a Link<< Home| | View blog reactionsAbout Me Name: James McGovern Location: United States Freedom is a road seldom travelled by the multitude... View my complete profileSuperstar BlogsJames TarbellEntropy Gradient ReversalsJoho the BlogCitizens of the American ConstitutionEmbracing GenocideThought Leadership BlogsRichard StallmanJohn UdellLoosely CoupledEric NewcomerBruce SchneierRadovan JanecekScott WoodgateJeff SchneiderGraham GlassWerner VogelSeth GodinChristopher BausBram CohenMark CubanDavid A. ChappellIsmael GhalimiJohn NewtonTodd BiskeThe Agile ElephantEnterprise Architect BlogsScott MarkEnterprise ArmchairCharles T. BetzBhagvan KommadiJames MelzerClarke ScottDion HinchcliffeJim WebberJohn GotzeChristopher PetrilliNick MalikTrinidad BlogsSolaceTaran RampersadTriniMuseIndustry Analyst BlogsJamie LewisRichard VeryardJames GovernorStephen O'GradyBrenda MichelsonDan BlumMichael CoteRaven ZacharyAlex FletcherAlan Pelz-SharpeMacehiter Ward-DuttonBruce SilverStowe BoydMartin BramptonBob BlakleyDean BubleyEric OgrenHeidi BiggarNick GallAnne ZelenkaPatricia SeyboldGuy CreeseVenture Capital BlogsEd SimDavid BeiselOpen Source BlogsJames StrachanServiceMix Blog (Open Source ESB)Roberto GaloppiniIdentity BlogsRadovan SemancikShekhar JhaPat PattersonSara Gates Greg Hagen Mark Dixon Identity Corner Kim Cameron Andre DurandSecurity BlogsPeter GregoryGunnar PetersonBrian Chess Mark O'Neill Tao Security Computer Book Authors BlogsDave TaylorMitch TullochDavid A. ChappellMark C. LittleJP MorgenthalBruce EckelYakov FainFolks from my pastSameer TyagiDan BernierLinks to my other BlogsInvestoratiStop the BushitlerBringing IT jobs back to America Insulting Observations Blog of the McGovern family Folks I mentorJames RobertsonGary ShortObie FernandezDavid Heinemeier HanssonJustin GehtlandEric StewartStefan TilkovMatt SecoskeRupert FozzLinksBlogroll Me!Worthy CharitiesNot in my nameStand to ReasonAmerica's Second HarvestDoctors without BordersPalestine Red Crescent SocietyEnough is Enough!Recommended Reading (Business)Now, Discover Your StrengthsGood to GreatMade to StickThe Only Three Questions That Count88 Tech Tricks to Turbocharge Your DayThe Audacity of HopeThe Plot Against AmericaThe World Is FlatThe Tipping PointWhat Got You Here Won't Get You ThereDogbert's Top Secret Management HandbookThe No Asshole RuleSane Investing in an Insane WorldSecond LifeFreakonomicsRecommended Reading (Technical)Enterprise Architecture As StrategyThe Practical Guide to Enterprise ArchitectureBuilding an Enterprise Architecture PracticeEnterprise Service Oriented ArchitecturesSecrets and LiesThe Pragmatic ProgrammerAgile Web Development with RailsMy Job Went to IndiaThe Mythical Man-MonthArchivesNovember 2001July 2005August 2005September 2005October 2005November 2005December 2005January 2006February 2006March 2006April 2006May 2006June 2006July 2006August 2006September 2006October 2006November 2006December 2006January 2007February 2007March 2007April 2007May 2007June 2007July 2007August 2007September 2007October 2007November 2007December 2007January 2008February 2008March 2008April 2008Memorable PostsThe real meaning of Enterprise ArchitectRationalization is a trap!Building Open Source Analysis CommunitiesManagement by Magazine donate...Find an international organization or project.Select FocusArtsChildrenConflict ResolutionDisaster ReliefEconomic DevelopmentEducationEnvironmentGender & EqualityHealthHuman RightsMicrofinancePovertyTechnologySelect CountryAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo, The Democratic Republic of TheCook IslandsCosta RicaCroatiaCubaCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHoly See (Vatican City State)HondurasHong KongHungaryIcelandIndiaIndonesiaIran, Islamic Republic ofIraqIrelandItalyJamaicaJapanJordanKazakhstanKenyaKiribatiKorea, NorthKorea, SouthKuwaitKyrgyzstanLao People'S Democratic RepublicLatviaLebanonLesothoLiberiaLibyan Arab JamahiriyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia, The Former Yugoslav RepublicMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia, Federated States ofMoldova, Republic ofMonacoMongoliaMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNetherlands AntillesNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern Mariana IslandsNorwayOmanPakistanPalauPalestinian Territory, OccupiedPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarReunionRomaniaRussian FederationRwandaSaint HelenaSaint Kitts and NevisSaint LuciaSaint Pierre and MiquelonSaint Vincent and The GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbia and MontenegroSeychellesSierra LeoneSingaporeSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSpainSri LankaSudanSurinameSwazilandSwedenSwitzerlandSyrian Arab RepublicTaiwan, Province of ChinaTajikistanTanzania, United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesUnited States Minor Outlying IslandsUruguayUzbekistanVanuatuVenezuelaViet NamVirgin Islands, BritishVirgin Islands, U.S.Wallis and FutunaWestern SaharaYemenZambiaZimbabwe разделы tag heuer одевание бахила высокотемпературный электроизоляция kyiv apartments service пассажирский лифт съемный зубной протез паркетный лак гравировальный бур барбекю флагшток внутренний использование тонирование стекла ваза 2111 экг сервис рак пищевод кулер комп облицовка электрокамин fag купить nokia 8910 этикетировщик карбид кальций беседка гравировальный бур концентрирование кислорода центр проктология фризер волосовский доломит заказ обед куллер телефонный анкетирование изделие слойка басейны intex красный площадь мавзолей protherm травертин крот dr конкурентный анализ пошив корпоративный костюм сервер hp гайковерт электрический софт автошкола сервис холодильник карл гиря проект электропроводка дмитрий шумок доставка хим. реагент автоматический оповещение букмекерский контора фаворит арманьяк доставка установка hotbird shimadzu облицовка bella italia автоматический резка бегущий строка слименд лифт решетка оцинкованный переработка резина роль ставень мелованный бумага герб вышивка решетка окон цвет камуфлир гуп ритуал уличный барбекю теплолюкс рукавичка доставка телевизионный антенна аппарат фигурный нарезка тест купить архиватор установка hotbird длинный нард 5004.13 (крышка) озеленение купить айсбест доставка алкогольный маркировочная краска центральный детский мир выделенка чувствительный кожа штангенциркуль флеш презентация пазл pki