[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence

David Chadwick d.w.chadwick at kent.ac.uk
Mon Feb 12 16:21:45 CST 2007 


Tom Scavo wrote:
> On 2/12/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>>
>> i) Each IDP must already uniquely identify each of its users, otherwise
>> it could not function correctly. How this is done is a local matter, and
>> we dont really care. All the IDP needs to do is to provide this local
>> name of the user to the CA.
> 
> This is where things fall down.  You're assuming a perfect world in
> which IdPs freely assert local principal names across domain
> boundaries.  Unfortunately, this is not the case today nor will it be
> the case tomorrow.

Hi Tom

Its OK for the IDP to map the local name into another anonymised local 
name if it wants to. The CA cannot tell the difference anyway, can it? 
The only thing that is of any importance is that the same user is given 
the same anonymised identity each time, so that the grid can know it is 
the same user each time. If this assumption does not hold true, then the 
grid cannot operate with any permanent identifiers and we can terminate 
the discussion now, since each user access to the grid will be unique 
and different. But I dont believe this is what is wanted, since a user 
should be able to login to the grid at a later time in order to retrieve 
his results. In this case he must have the same permanent ID for both 
accesses.



> 
> Today IdPs assert transient, opaque identifiers. 

True, and each one is unique, isnt it? (I think they are globally unique 
arent they? But locally unique is good enough)


  Tomorrow IdPs will
> assert persistent, opaque identifiers *scoped to the SP*. 

Now what is the SP? Is it the backend Grid Service, or is it the entry 
point/gateway. With SOAP messages, we can relay messages via 
intermediate nodes to a backend service.

So the question is, is the CA/Shib gateway the SP, or the grid service 
that it provides access to the SP. If the IDP treats the gateway as the 
SP, then each CA will indeed be forced to create different DNs for the 
same user, but if the back end grid service is the SP, then the IDP 
should return the same opaque identifier scoped to the SP to each of the 
Shib/CA gateways. It seems like this is a fundamental question that 
needs to be addressed.


  That is,
> the latter are not globally unique by design (to prevent collusion
> among SPs).

Its more than that. They are not even locally unique for a set of SPs.

> 
> Today some IdPs assert eduPersonPrincipalName (which is what you want)

No this is not what I *want*. I dont actually care what the attribute 
is, or the value for that matter. The only thing I said was important is 
that for the same grid service the IDP must return the same locally 
unique name each time the service is accessed, otherwise the grid 
service will not be able to tell when the same user accesses it multiple 
times.


> but there are pressures working against this in the long run.
> Tomorrow IdPs will rather assert eduPersonTargetedID (which is
> equivalent to the persistent, opaque identifier mentioned above) but
> again ePTID is *scoped to the SP*.

Thats fine also.

> 
> So it is not reasonable to assume all CAs will assert the same DN.
> Such collusion is prevented by design.

It all depends upon what is the service. If all CAs provide access to 
the same SP, then they should ensure that the same user gets the same DN 
each time.

> 
>> iii) Each IDP already has a globally unique DNS name. This is easily
>> converted into a DN using the DC naming scheme e.g. kent.ac.uk becomes
>> dc=kent, dc=ac, dc=uk
> 
> IdPs already have a globally unique naming scheme (involving URIs) so
> why invent a new one? 

Only because certificates use DNs. I dont really care what globally 
unique naming scheme is used. That's religion. It is the concept that is 
most important.


  If you must have a DNS-like name, however, you
> should use the Scope attribute called out in IdP metadata (which is
> used to qualify scoped attributes such as eduPersonPrincipalName and
> eduPersonScopedAffiliation).

This is technical detail, which can be filled in once the conceptual 
design is agreed upon

regards

David

> 
> Tom
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authn-bof mailing list