The following message is a courtesy copy of an article that has been posted to bit.listserv.ibm-main as well.
[EMAIL PROTECTED] (Chase, John) writes: > I *think* you could do that using digital certificates, but I've only > read that part of the RACF doc once and have not tried it (yet). re: http://www.garlic.com/~lynn/2008.html#53 Really stupid question about z/OS HTTP server base infrastructure for all of this has been Kerberos. It was originally developed at MIT's project athena ... which as equally funded by DEC and IBM ... and so we got to go by project athena for periodic project revues. originally kerberos was purely password (aka shared-secret) authentication. however, passwords can be evesdropped and reused ... being shared-secret, the same value is used for both originating authentication and validating authentication ... which leads to lots of vulnerabilities and operational problems (including what happens when humans have to deal with scores or hundreds of unique passwords) http://www.garlic.com/~lynn/subintegrity.html#secrets public keys and digital signatures were originally proposed as addressing some of the short-comings of shared-secret infrastructures. first, there is different value for generating authentication information and validating authentication. this can address enormously growing problems with having to manage large number of unique passwords (security 101 typically requires unique passwords for unique security domains as countermeasure to cross-domain attacks ... which is no longer necessary in public key environment). the original draft of pk-init for kerberos ... simply used public keys and digital signatures ... in lieu of passwords for authentication. http://www.garlic.com/~lynn/subpubkey.html#kerberos in purely certificate-less environment http://www.garlic.com/~lynn/subpubkey.html#certless however, a variety of public key operation has evolved with include something called digital certificates ... and digital certificate mode of operation was eventually also added to the kerberos pk-init draft. digital certificates were developed to address the scenario involving first time interaction between complete strangers (aka the letters of credit/introduction from the sailing ship days ... when the relying party had no other means of obtaining information in first time interaction with complete strangers). The purpose of the digital certificates is to carry "certified" information regarding total strangers that can't be obtained any other way. the issue in all the major institutional authentication scenarios is that digital certificates are redundant and superfluous ... especially in employer/employee scenario ... since it is rarely the case that an employer is rarely dealing with an employee as a total stranger. in a real digital certificate scenario use for (kerberos) authentication, a total stranger ... that is not otherwise known and/or for which there is absolutely no prior information ... is allowed authorized access to the system ... aka nominally the purpose of the digital certificate paradigm is to carry the information about what the person is allowed to do ... and there is no requirement to have any predefined (system) information regarding the individual (and/or what they are allowed or not allowed to do) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
