Hi Pieter, thank you for your clarification and support! :) Cheers V. On Mon, Oct 10, 2022 at 7:52 AM Pieter Kasselman <pieter.kasselman= 40microsoft....@dmarc.ietf.org> wrote:
> *This message originated outside your organization.* > > ------------------------------ > > I want to clarify that I don’t see any blockers to using the step-up auth > proposal from working with fine-grained policies. > > > > The comment and question was more to outline use cases being evaluated and > to see whether others are observing this shift as well. > > > > Cheers > > > > Pieter > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Pieter Kasselman > *Sent:* Friday, October 7, 2022 9:29 PM > *To:* Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>; oauth <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication > > > > I am very supportive of this work and have been working through different > use cases to see whether it can satisfy the requirements that arise from > them. > > > > One observation from working through these uses cases is that as customers > move to Zero Trust architectures, we are seeing customers adopting finer > grained policy segmentation. Consequently customers are planning to deploy > segmented access control by data or action sensitivity, within a service. > This approach to policy design makes it more common for a single service to > depend on multiple authentication context values or combinations of > authentication context values. > > > > An example of this is a policy that has multiple acr values (e.g. > acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A > customer may define a policy that requires different combinations of these > acr values, for example, a file server may requires password for general > access (e.g. acr1), FIDO authentication (acr2) or password access and being > on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO > authentication and password (acr1 + acr2) for accessing editing sensitive > documents and a real-time selfie check on top of FIDO and presence on a > trusted network (acr1 + acr2 + acr3 + acr4) to initiate a sensitive > workflow (e.g. check-in code). Other variations of this includes database > access with different types of access requirement for certain rows > (row-level permissions) or columns (column level permissions) with > different combinations of acr values. > > > > I was curious if this type of scenario where multiple authentication > contexts and combinations of contexts are required is something others see > (or are beginning to see) as well? > > > > Cheers > > > > Pieter > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Rifaat Shekh-Yusef > *Sent:* Thursday, September 22, 2022 3:02 PM > *To:* oauth <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication > > > > *Correction:* > > > > Please, review the document and provide your feedback on the mailing list > by *Oct 7th, 2022*. > > > > On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > > All, > > > > This is to start a *WG Last Call *for the *Step-up Authentication * > document: > > https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html > <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Farchive*2Fid*2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05*7C01*7Cpieter.kasselman*40microsoft.com*7Ca9927281814243e628ac08daa8a2b9a7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638007714137535915*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=eajkqEWpu4*2BIbWJhY*2F89IzEB36JAh6zxW3JppdQuCH8*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!6IgRKGK3Fpu4GAuGOSAixZrwkaJwm2uOdYDGSk62prPkvevR595rjA5IfFxI-ulULBUWKxM0UIR2hMgRLV-LI45bajBjXw8$> > > > Please, review the document and provide your feedback on the mailing list > by *Sep 30th, 2022*. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
