[security-dev] Entitlement versus Enforcement Model
Anil.Saldhana at redhat.com
Thu Nov 8 16:27:20 EST 2012
On 11/07/2012 05:37 PM, Bill Burke wrote:
> On 11/7/2012 4:34 PM, Anil Saldhana wrote:
>> On 11/07/2012 03:26 PM, Bill Burke wrote:
>>> On 11/7/2012 4:09 PM, Anil Saldhana wrote:
>>>> On 11/07/2012 03:05 PM, Bill Burke wrote:
>>>>> I committed some preliminary work a few months ago to prototype
>>>>> Openstack's Keystone service and protocol. I want to ditch this work
>>>>> though in favor of developing my own protocol as it seems Keystone is
>>>>> very much in flux and they aren't sure of their own direction. It as a
>>>>> good exercise though as I learned how AS7 and login-modules can fit
>>>>> together and how you can dynamically set roles/identity *per-request*.
>>>>> I also wrote a little utility that allows you to delegate authentication
>>>>> to your security domain. (login-module-authenticator)
>>>>> I just started on my new (well really long time brewing) ideas this week
>>>>> as Resteasy 3.0 beta 1 is now out. I plan on using JSON Web Token and
>>>>> JSON Web Signatures. After evaluating these specs, they look very tight
>>>>> and simple enough to build upon.
>>>> Bill, last time I mentioned JWT and JWE, you chewed me. Yeah, pretty
>>>> lightweight stuff and applicable to REST style services.
>>>> It is possible that JWT lacks the richness that may be desired in a
>>>> token, for certain usecases. I have not come across those use cases yet
>>>> apart from serving SAML users over a REST style interface with JSON binding.
>>> Yup, I was wrong about JWS and JWE. When I chewed you, i was thinking
>>> more about HTTP message bodies, and not thinking about URLs and header
>>> strings. Keystone uses application/pks7-signature, which is a
>>> JWS/JWE already has code here.
>> Bill, dont write any JWS/JWE implementation because this Duetsche
>> Telecom researcher has done implementation of the latest drafts of these
>> specs. https://code.google.com/p/jsoncrypto/
>> The challenge I have with this project is that the code is not indented
>> properly and not readable. Build is not mavenized. It is BSD licensed. I
>> was supposed to help him with the project code organization, maven etc.
>> I only implemented the bare minimum JWE/JWS algorithms we require with
>> the intent of integrating jsoncrypto.
> There's this too:
Bill, the positive about jsoncrypto is all the advanced JWS/JWE
algorithms are implemented as per draft. This Nimbus and my
implementation just does the common/minimum ones.
More information about the security-dev