Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Definition of Identity and Authenticated Identity #45

Open
fandreas opened this issue Oct 15, 2024 · 2 comments
Open

Definition of Identity and Authenticated Identity #45

fandreas opened this issue Oct 15, 2024 · 2 comments

Comments

@fandreas
Copy link

After authentication of the peer, a workload can perform authorization by verifying that the authenticated identity has the appropriate permissions to access the requested resources and perform required actions. This process involves evaluating the security context described previously. The workload validates security context, checks validity of permissions against its security policies to ensure that only authorized actions are allowed.

The term "Authenticated Identity" suggests that all identity-related information can be authenticated. However the definition of identity earlier in the document includes various attributes that cannot necessarily be authenticated. There is a pull request that changes the Identity section significantly, however it doesn't clearly define the term "Identity" either. Further work is needed to ensure crips defintions.

@jsalowey
Copy link
Collaborator

I think the challenge here is going to be to define identity here just enough to make the appropriate points. I think for the purposes of this section, the authorization calculation is based on the following:

  1. The value of the peer workload's authenticated identifier and other information that may be present in the WIT or certificate
  2. Authorization context information based on the current transaction. An example may be a context token issued by a token service
  3. Other information that is bound to the peer's workload identifier or authorization context through mechanisms that are currently outside the scope of this document.

@fandreas
Copy link
Author

I agree that the "identity" term and a concise definition of it is a challenge (not least based on the earlier thread on this: https://mailarchive.ietf.org/arch/msg/wimse/lkBh5AS63J8gXxtgHqo5X4RxN6A/)

Is the suggestion to remove that term from the document (throughout) and just talk about authenticated identifiers and authorization instead ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants