Friday, March 07, 2008

 

PKI and SAML - Friend or Foes

Patrick Harding comments that wide-spread use of user certificates never materialized and how SAML is a better model...



I figured I would analyze his posting to see if alternative perspectives can emerge...

Maybe the issue is that Ping is attempting to do this as part of a sales process and is attempting to bite off more than it can chew. Consider that the pharmaceutical industry uses digital certificates extensively and the decision was made by a consortium of large entitities such as Pfizer, Merck and others. Of course a company such as Ping would love to think of the sales opportunity of selling to this demographic but reality states that the sales model may actually be the problem.

Have you considered that the problem might not be in discussing the limitations of digital certificates and instead may require a discussion around the limitations of enterprise applications? Do you think it is possible that Pfizer could allow Merck to access their Documentum infrastructure by expressing runtime authorization via a standard protocol? The answer is no as many software vendors that are part of the ecosystem have busted authorization models.

It becomes difficult to assert something at runtime if software is written with the notion of provisioning upfront. For example, in Documentum, I only have two choices. I can either have a proxy user or I have to register each and every user in advance. There is no way to dynamically assert identity without provisioning/syncronization. For federation to work in this scenario, you don't need to sell the enterprises, you need to help other software vendors understand the importance of changing their code.

Maybe the problem is that you are attempting to constrain the conversation to something that may not work or be sub-optimal for the vertical you are speaking with. Yes, one can use attributes to make authorization decisions, but there are many scenarios where SAML carrying XACML makes much more sense. Not all authorization decisions fit into name/value pairs nor is it sane to attempt to shove it in.




Links to this post:

Create a Link



<< Home
| | View blog reactions


This page is powered by Blogger. Isn't yours?