[caops-wg] Requirements and rationale for Relying Party Defined Namespace Constraints (signing_policy file)
Mike Helm
helm at fionn.es.net
Sat Mar 1 15:57:22 CST 2008
David Chadwick writes:
> I think this document is fundamentally flawed. This is either because it
> reflects the grid security infrastructure which is fundamentally flawed,
> or the document does not and therefore is in error. I refer to the sentence:
>
> As many grid authentication and authorization decisions based on X.509
> credentials currently only use the subject distinguished name for
> decision making
>
>
> This is in effect saying that the CA is the SOA and there is no
> difference between authn and authz. Authn and Authz operate at the same
Is there anything more to this than a different interpretation of
"only use ... for decision making" here?
My understanding of current grid practice (based on a mixture of hearsay,
imagination, dreaming, rumor, and paranoia) is that X.509 subject names,
and subject names only, are used as a primary key to lists/collections of attributes that
authorization services keep. Some of these cases are pretty simple and
some are complex databases. There are a few cases where these certs are
also used directly for an authorization decision - all the ones I know of
are on the boundaries between grid and non-grid services, or outside of grids
altogether.
More information about the caops-wg
mailing list