[ogsa-authn-bof] Use Cases
Tom Scavo
trscavo at gmail.com
Wed Feb 14 05:49:57 CST 2007
On 2/14/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> I think the
> essence of the problem is authorisation i.e. How does the PDP know if
> this user can access this resource? The PDP has to have a set of
> attributes in which at least one of them gives the globally unique ID of
> the user, in order to satisfy the use cases given below. Therefore the
> unique ID should either be in the name (DN) of the user, or in another
> attribute. If we choose the latter approach then the DN can be
> meaningless and not used by any grid request, except as a means to pick
> up the proper set of attributes
I agree with you, David. The security token can be X.509 or SAML or
whatever, as long as it contains one or more identifiers that taken
together uniquely identify the user. It is unreasonable, however, to
assume the existence of a single globally unique identifier for the
user, nor is that assumption necessary to solve this problem. A user
can and will have multiple identities. For any given access request,
only one of those identities is the subject of the request.
Even this doesn't get us very far, however. At some point you have to
descend into practical considerations, and as always, the devil is in
the details.
Cheers,
Tom
More information about the ogsa-authn-bof
mailing list