It Depends a.k.a. Access Decisions are Contextual

This week, I had the pleasure of attending and presenting at the InCommon Confab. It was a great day and a half event organized by Jacob Farmer at Indiana University and many others from the InCommon Team.

InCommon's mission is to support a common trust framework for U.S. Education and Research, and their Identity Assurance Program offers its more than 200 Identity Providers the ability to certify their practices at the InCommon Bronze (LOA 1) and InCommon Silver (LOA 2) Levels. Given their scope and reach across the Research and Education Sector, as well as their maturity in the Identity Federation space, we are very fortunate that they have chosen to become a FICAM approved Trust Framework Provider whose Bronze (LOA 1) and Silver (LOA 2) certified IdP Credentials can be used to access Federal Government Web Sites.

Ian Glazer (Gartner), one of the other keynote speakers, has a good write-up on his blog about the event, so won't repeat it here [Go, read, and come back. I'll wait].  The great thing about the conversation that took place is that we are finally getting past the authentication and LOA conversations to what really matters when it comes to getting things done, which is tackling the hard challenges around distributed/federated/cross-organizational authorization to enable collaboration and the sharing of information.

In my presentation, I had the following slide, which broke out attributes of a person into Identity, Authority, Contextual and Preference.

In my own mind, I had lumped together what I, and many others over the years, had taken to calling "Environmental" attributes into the Contextual bucket. But, as you can also see, I had subordinated that context element under the Person umbrella.

The conversation that we had over the last couple of days, in my own mind, called that bucketing into question.

A potential starting point, as articulated by Ian, is that Context is anything that is not Person or Resource related, and as such it promotes Context to be a first class citizen along-side Person and Resource Attributes. This leads to:
The "External Attribute" component of Context maps pretty easily into what we have traditionally called "Environmental Attributes":

  • Operational Status e.g. Threat-Level-1, Declared-DSCA-Event
  • Inside the building on business/agency infrastructure
  • Coming from a specific IP block
  • Connecting using VPN
  • Host based scans report as healthy
  • etc.

But the "Shared Contextual Attributes" are something new to think about and explore, as they bring a relationship component into the mix that could potentially be very interesting and, if we can work through it to a shared understanding, address questions such as:

  • Is context where we can convey data handling expectations that come along with access to data? 
  • Obligations and responsibilities? 
  • Where semantics can be attached to and sent along with authority attributes?
  • ?
There was pretty general agreement that we really are not sure at this point, but that we do need to put some think-time on this. What it should NOT BE is that Context becomes the grab-all bucket into which everything that is not Subject and Resource gets stuffed as that would make it quickly irrelevant and useless from an access control decision point of view.

Really looking forward to further conversations on this topic.

:- by Anil John