robla at robla.net
Sun Jun 19 01:42:18 PDT 2005
On Sun, 2005-06-19 at 08:14 +0100, Paul Crowley wrote:
> Rob Lanphier wrote:
> > 1. The primary focus of Spectaclar is on authorization, not
> > authentication. My understanding is that OpenID is focused on
> > authenication now and for the forseeable future.
> This is true. However, SAML (of which the Liberty Alliance stuff is a
> part) is about authorization, contrary to your Spectaclar opening page.
> At the moment, SAML seems to me too complex to live so it doesn't
> bother me too much if an open-source project duplicates their work, but
> it might be worth a look.
Thanks for looking through the material. I suppose that since you
aren't a big fan of SAML, it's a moot point to go into SAML too much,
other than to use this as an opportunity to clarify what I'm hoping to
solve with Spectaclar. It doesn't appear as though there's much value
in using SAML's authorization model if you don't use their
authentication, among other things. I should probably just take the
Liberty Alliance reference out ;-)
While there's some value in distributed authorization with 100%
implementation-independent protocols, it's not the focus. It's really
the management and calculation of permissions. It's the combination of
authorization APIs and access control management, assuming the identity
is already established and authenticated.
Here's some possible outcomes, all of which would be considered
successes in my book:
* A standardized database schema, accessed through de facto standard
database access protocol (e.g. MySQL protocol or PostgreSQL protocol)
* A different approach (probably better) would be a set of client
libraries in various languages (PHP, Perl, Python, etc) for accessing a
* A standard plugin API which can be used to plug in authorization
systems (e.g. a whole bunch of apps agree to implement their permissions
checks as "isAllowed(user, permission, parameter string);", so that an
authorization system can be dropped in that implements that)
It may be that we say "heck, the phpGACLs folks have nailed it", and
then I wrap up my Spectaclar work. It's actually the closest I've seen
to solving the problem as I've conceived it. Despite the name, there is
a Perl connector available to connect into the system (though the bulk
of the system is implemented in PHP).
The downside is that, for example, it'd be a tough sell to convince the
Mailman team (who use Python) to base their stuff on phpGACLs as the
default management system. I do hope to work with the Mailman team to
come up with something that is at least mindspace compatible with other
projects, so that a developer tying together Mailman, Bugzilla, and
MediaWiki with single sign-in has an easier time tying it all to a
single management console to bless someone as an admin, or shut off
access to everything at once.
> You should also look at the work done on
> SPKI, which treats all authorization as delegation.
I'll take a look. Thanks!
More information about the yadis