Authentication Service Questions
Questions
Here's where open issues and problems go. This should be active in the early stages of this work. Note that it is better to place discussion points inline as sub-bullets, tan to put them in comments where the context and flow is harder to reconstruct:
- Under Key Concepts, regarding the term "system entity."
This term has generic meaning in a CollectionSpace context - since "entity" is so widely used throughout Services layer documentation.
This term may also be used in some security-related discussions, such as this CORBA-related patent application to refer to what JAAS terms "Agents."
One possible approach toward disambiguation: we might consider standardizing, within CollectionSpace documentation and potentially within code, on a more 'human friendly' term, "system actor," which emerged from the discussion in /wiki/spaces/collectionspace/pages/666274465, rather than this specific term from RFC 2828. One counter-argument, however, is that "actor" has specific meaning in use cases, and often refers to a real-world entity, rather than any software representation of same. Thoughts? - Aron
- Somewhere near the beginning of Key Concepts, we might note that these concepts use standard Java platform (JAAS) security-related terminology to define entities like Subject, Person, and Agent, and that this terminology may be specific to the Java platform.
Some other security discussions, such as this one relating to security in the context of Microsoft software (note: PDF document), may use some of these same terms quite differently; e.g. "A subject is a program (application) executing on behalf of a principal."
- Would each identity associated with a Person be represented as a Principal, stored within a Subject? The third bullet point in this section, beginning "A Person ...", seems very close to describing a Principal, rather than solely a Person.
- Can an Agent ever have multiple identities, and hence multiple Principals? - Aron