The use of classical identity based access control models, on which authorization decisions are based on the requestor unique identifier, is not adequate for large scale decentralized systems, such as the World-Wide Web. Several aspects contribute to this inadequacy, namely:
- Access control policy -When an access request crosses security domains, the identifier of the requestor on its domains may not have any meaning on the resource’s domain.
- Privacy – The requester might not want to reveal its unique identifier outside of its security domain
A solution is to base the access control policy on “characteristics” of the requestor that make sense for the authorization decision. The Identity Metasystem extends the notion of identity to incorporate this, proposing the concept of a claims-based identity:
Unfortunately, there isn’t a formal definition of claim. Instead there are several more or less vague definitions:
- Identity Metasystem: “claims are pieces of information about the subject that the issuer asserts are valid“
- WS-Federation: “A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, attribute, etc).“
- Understanding Windows CardSpace: A claim represents a fact about something or somebody. Better. A claim is a statement that a certain fact applies to something or somebody. As such, it is subject to verification. In other words, you can accept or reject the claim based on your beliefs, knowledge of the situation, and so on.
- Cambridge dictionaries online: “a statement that something is true or is a fact, although other people might not believe it”
- MSN Encarta: “something that may be true: an assertion that something is true, unsupported by evidence or proof“
One way to better understand the claims concept and its applications is to see how:
- Claims are communicated and attached to requests and messages, using security tokens.
- Claims are required by services and applications, using policies.
- Claims are used in authorization decisions.
This will be the subject of future posts.
Pingback: Claims and claims sets in WCF « Pedro Félix’s shared memory
Pingback: Zermatt’s claims model « Pedro Félix’s shared memory