[caops-wg] Requirements and rationale for Relying Party Defined Namespace Constraints (signing_policy file)
David Chadwick
d.w.chadwick at kent.ac.uk
Sun Mar 2 10:26:57 CST 2008
Hi Mike
there is more to it than what you propose, and this is the second point
I make ie. whether 2 different users can be given the same DN or not by
different CAs (we assume that the same CA will be competent enough to
not do that). If the answer is yes, then your whole infrastructure is
broken. If the answer is no, then the sentence below should be changed
if, as you point out, there is much more to decision making than the DN
on its own, such as lists and attributes that are used by authz services.
regards
David
Mike Helm wrote:
> David Chadwick writes:
>> I think this document is fundamentally flawed. This is either because it
>> reflects the grid security infrastructure which is fundamentally flawed,
>> or the document does not and therefore is in error. I refer to the sentence:
>>
>> As many grid authentication and authorization decisions based on X.509
>> credentials currently only use the subject distinguished name for
>> decision making
>>
>>
>> This is in effect saying that the CA is the SOA and there is no
>> difference between authn and authz. Authn and Authz operate at the same
>
> Is there anything more to this than a different interpretation of
> "only use ... for decision making" here?
>
> My understanding of current grid practice (based on a mixture of hearsay,
> imagination, dreaming, rumor, and paranoia) is that X.509 subject names,
> and subject names only, are used as a primary key to lists/collections of attributes that
> authorization services keep. Some of these cases are pretty simple and
> some are complex databases. There are a few cases where these certs are
> also used directly for an authorization decision - all the ones I know of
> are on the boundaries between grid and non-grid services, or outside of grids
> altogether.
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list