Stephen,
[R-ReAuth] Ability for server to signal that re-authenticaiton is
required where you'd normally expect an authorization decision.
I didn't phrase that too well, but I guess folks'll recognize the
issue.
Let me test your theory that folks will recognize the issue.
We discuss a requirement with our customers which may or may not be the
same as this.
We call it either "step-up authentication" or "authorization based on
strength of authentication".
The idea is that the authorization rules state that in order to be granted
access to a resource,
the requester must authenticate using a particular mechanism, which is
normally viewed as
"extra strong" or "strong enough for purposes of this specific access".
We also discuss another requirement which is at least related to this. I
don't think we have
a name for it, so I'll make one up: "verification of presence". This
requirement says that
in order to perform some action the requester must re-authenticate (perhaps
using the same
mechanism as initial authentication) in order to verify that he or she
hasn't walked away
and abandoned a session which has subsequently been "adopted" by somebody
else.
People familiar with ATM machine security will recognize this one.
Is either of these what you mean? Are both?
--bob
Bob Blakley
Chief Scientist, Security
Tivoli Systems, Inc.
4 messages in org.oasis-open.lists.security-coreRe: Interim requirements II!
.bin, .bin