[ogsa-authn-bof] Use Cases
Von Welch
vwelch at ncsa.uiuc.edu
Tue Feb 13 13:58:35 CST 2007
> Method 2 is used by Shibboleth systems.
I believe you are referring to the name of name identifier used by
Shibboleth, specifically the transient handle.
Shibboleth can do that, it can also us a targeted identified (e.g.
eduPersonTargetedId), which is not globally unique, but consistent
for a given service provider.
> So the essence of the problem we are discussing is that we have to
> decide which system to use in a combined grid/shib system.
I think it's a little more complex than that. Shibboleth can provide
to the translating entity (e.g. a GridShib-CA) some from of an
identifier (transient, targeted) and some collection of attributes.
The question at hand is to come up with at least one profile where
Shibboleth provides a particular identifier and set of attributes and
then how those are converted to a DN, with a definition of the
semantics of that DN.
Von
On Feb 13, 2007, at 3:32 AM, David Chadwick wrote:
> Perhaps a couple of use cases will serve to highlight the conceptual
> issues we are talking about (without getting into implementation
> specifics, which can follow later).
>
> Use case 1. A distributed medical health care records system has a
> security policy which says that every patient can read their own
> health
> care record and their GP and consultant can update their records
>
> Use case 2. A financial system's security policy says that only an
> account holder can update his account details.
>
> In both of the above use cases, the user must have a globally unique
> identifier so that no matter when or from where he accesses the
> database
> record in question, the access control system can function properly.
>
> I see two ways in which this can be achieved.
>
> Method 1. Every time the user logs in, no matter the time or location,
> the authentication system recognises him and assigns to him the same
> globally unique ID. This is then used by the access control system to
> enforce access rights. We could call this the traditional method.
>
> Method 2. Every time the user logs in, the authentication system
> recognises him but assigns to him a completely different anonymised
> ID.
> This ID is of little use to the access control system since it is time
> and/or location dependent. Therefore the set of attribute assertions
> that are subsequently released to the application's access control
> system must contain the user's globally unique ID. We could call this
> the privacy protection method.
>
> Method 1 is usually used by Grid systems and Globus toolkit.
> Method 2 is used by Shibboleth systems.
>
> So the essence of the problem we are discussing is that we have to
> decide which system to use in a combined grid/shib system.
>
> regards
>
> David
>
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/
> index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
> _______________________________________________
> ogsa-authn-bof mailing list
> ogsa-authn-bof at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
>
More information about the ogsa-authn-bof
mailing list