{"id":703,"date":"2007-03-04T17:50:33","date_gmt":"2007-03-05T01:50:33","guid":{"rendered":"\/?p=703"},"modified":"2007-03-04T18:05:48","modified_gmt":"2007-03-05T02:05:48","slug":"separating-the-identity-of-users-from-services","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=703","title":{"rendered":"Separating the identity of users from services"},"content":{"rendered":"<p>Geoff Arnold added a comment to <a href=\"\/?p=701\">an earlier piece<\/a> that helps tease out the issues around delegation:<\/p>\n<blockquote><p><em>In otherwords, there is no user-absent scenario. There is a user is present and delegates authority scenario. After all, how can a user delegate authority if she isn\u00e2\u20ac\u2122t present???<\/em><\/p>\n<p>That&#39;s fine as long as one of the rights that can be delegated is <strong>ability to delegate further<\/strong>. And I&#39;m guessing that that&#39;s what Eve is really talking about. Not delegating 100% of her rights to some agent, but delegating sufficient rights that the agent can act as a more-or-less first class entity, negotiating and delegating on&nbsp;her behalf.<\/p>\n<p>In fact the only (obvious) right that I should not be able to delegate is the right of revocation&#8230;.<\/p><\/blockquote>\n<p>OK.&nbsp; So delegation is recursive.&nbsp; If we accept the notion that services operate within their <strong>own identity<\/strong> when they do something a user has asked them to &#8211; then if they want to delegate further, they need to create a Delegation&nbsp;Token that:<\/p>\n<ul>\n<li>asserts&nbsp;they have the right to delegate in some particular regard; and&nbsp;<\/li>\n<li>defines exactly what they want to delegate further, and to whom.<\/li>\n<\/ul>\n<p>They need to present this&nbsp;along with&nbsp;the user&#39;s authorization.&nbsp; One ends up with the whole delegation chain &#8211; all of which&nbsp;is auditable.<\/p>\n<p>In this scenario, the user&#39;s identity remains under her control.&nbsp; That&#39;s one of the things we mean&nbsp;when we say,&nbsp;&#8220;user centric&#8221;.&nbsp; By issuing an authorization for some service to do something, she actually asserts her control over it.&nbsp;&nbsp;I think this would be true even if, given&nbsp;a suitable incentive,&nbsp;she delegated the right of revocation (there are limits here&#8230;)<\/p>\n<p><strong>Multiple tokens to capture these semantics<\/strong>&nbsp;<\/p>\n<p>CardSpace is built&nbsp;on top of&nbsp;WS-Trust, though it also supports&nbsp;simple HTTP posts.&nbsp;<\/p>\n<p>One of the main advantages&nbsp;of WS-Trust is that it allows <strong>multiple security tokens to be stapled together<\/strong> and exchanged for other tokens.&nbsp;&nbsp;<\/p>\n<p>This multi-token design&nbsp;perfectly supports strong identification of&nbsp;a service combined with presentation of&nbsp;a separate&nbsp;delegation token from the user.&nbsp;&nbsp;&nbsp; It&nbsp;is&nbsp;a lot cleaner for this scenario than the single-token designs such as SAML, proposed by Liberty, or the consequent &#8220;disappearing&#8221; of the user.<\/p>\n<p>I guess&nbsp;I find Eve&#39;s contention that, &#8220;By contrast, Liberty\u00e2\u20ac\u2122s ID-WSF was developed to support both the &#8216;human present&#8217; and &#8216;human absent&#8217; modes&#8221;&nbsp;a bit&nbsp;triumphalist&nbsp;and simplistic.&nbsp; &nbsp;<\/p>\n<p>Going forward I&#39;ll write more about why I think WS-Trust is a step forward for these delegation scenarios.&nbsp; And about why I think getting them right is so very important.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#39;s really key to see users as users, and services as services, with constrained delegation being used when services represent users.  That way everything is auditable, the user stays in control, and the service&#39;s liability is minimized.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,10,5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/703"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=703"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/703\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}