By Topic

Abstract interdomain security assertions: A basis for extra-grid virtual organizations

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $31
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Carpenter, B.E. ; IBM Switzerland, 48 Avenue Giuseppe-Motta, 1211, Geneva 2, Switzerland ; Janson, P.A.

One significant challenge in building grids between organizations with heterogeneous security systems is the need to express and enforce security policies that specify the users in one organization (the source domain) who are allowed to access the resources in another organization (the target domain). This requires linking the syntax and semantics of security assertions referring to users and their attributes in the source domain to those referring to resources in the target domain. This paper suggests some basic requirements for solving this problem, in particular, an abstract form of interdomain security assertion (IDSA) relying, for instance, on globally meaningful URIs (Uniform Resource Identifiers) to refer to users, resources, and their attributes. This canonical abstract form of IDSA is, however, used strictly for assertion mapping purposes. It may—but need not—be visible in any concrete security assertion syntax in any domain. The paper further suggests different scenarios in which URIs for users, resources, and attributes defined in one domain can be mapped to semantically meaningful references—with varying degrees of granularity and accountability—in another domain where they would otherwise be meaningless.

Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.  

Published in:

IBM Systems Journal  (Volume:43 ,  Issue: 4 )