Authorization services

Of the current components of core middleware, the least developed and most amorphous is authorization services. It is definitely a service rather than a server; authorization functionality will be provided coherently through a set of delivery means, including authentication, directory servers and certificates.

Examples are legion, which is what makes this area so important. Authorization will be the basis of workflow. It will drive permissions for accessing networked resources, allow us to control and delegate electronic responsibilities, and serve as the basis for future administrative applications. It will allow us to convert our complex legal policies into automated systems in a easily scalable fashion.

At its simplest, authorization is the next generation of "ACL's" - the read/write/execute controls that are embedded in file systems. Typically, authorization indicates what an identifier, properly authenticated, is permitted to do with a networked object or resource.

There are many challenges associated with authorization, including

There are several places to store authorization characteristics. Most typically, they can be kept in directories, either specific to a system or as part of a campus-wide infrastructure. Alternatively, they can be stored within a file system, as a separate data systems, or on an external device (such as a smartcard).

Transporting the characteristics to the application can be done in several ways as well. Applications can be periodically updated from a standalone authorization server or request authorization dynamically from the server via an RPC. Alternatively, the user can present authorizations to the application as part of the authentication process. For example, the authorizations can be carried within the Kerberos ticket or as part of a certificate.

In order to assist consistent assignments of values within authorizations, a number of technological tools are useful. For example, default settings and inherited values help reduce the discretion of the authorizer. Similarly, providing facile ways of delegating permissions to authorize is an important feature.

The need to translate complex policies into automated combinations of more basic attributes has led to research into policy models and policy description languages. These tools are receiving some attention within IETF as they have significance for network layer controls as well.

This discussion will be expanded periodically as developments happen.