Previous | Table of Contents | Next |
Level 2 adds to Level 1 the following additional requirements.
24.6.3.1 Authorization-Token-Based Delegation
Level 2 adds to Level 1 a requirement that implementations support the authorization-token-based delegation mechanism implemented
by the SAS protocol.
A Level 2 TSS shall be capable of evaluating proxy rules arriving in an authorization token to determine whether an asserting
entity has been endorsed (by the authority which vouched for the privilege attributes in the authorization token) to assert
the identity to which the privilege attributes pertain. The semantics of the relationship between the identity token and authorization
token shall be as defined in
Section 24.3.1.1, “Context Validation,? on page 24-17.
A Level 2 TSS shall recognize the Section 24.2.3.1, “Extensions of the IETF AC
Profile for CSIv2,? on page 24-11? (that is, the Proxy Info extension) as defined on
that page.
Level 2 requires that a target object that accepts identity assertions based on endorsements in authorization tokens represent
this support in its IORs as defined in
Table 24-17 on page 24-42.
Level 2 requires that a target object that requires an endorsement to act as proxy for its
callers represent this requirement in its IORs as defined in Table 24-17 on page 24-42.