Question to ask for request

Convener: Alan Karps

Most important question: is the request authorized? Delegatable authorization: without it the private in the army would be saying "yes sir, mr. obama", that would be the only way. OAuth consciously conflated authz, authn and identity. The goal was not to exchange credentials service side gets token "letting it be me for a period of time"

Tyler Close "web key" : REST based federation. Good paper: "ACL's don't" Authorization based access control is safer than SSO.

Sample Case:

Two Companies: A  and  B Memorandum of Understanding between companies Authz: Only US citizens can perform this action: Use XACML to express policy When user invokes service, he prevents delegation chain.

Alan Karps http://www.hp.com/alan_karp  - might be wrong. Look for papers.

ZBack : Authorization based access control