[ogsa-authn-bof] Use Cases

David Chadwick d.w.chadwick at kent.ac.uk
Wed Feb 14 09:08:14 CST 2007 

Hi Tom

Tom Scavo wrote:
> On 2/14/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>>
>> I think the
>> essence of the problem is authorisation i.e. How does the PDP know if
>> this user can access this resource? The PDP has to have a set of
>> attributes in which at least one of them gives the globally unique ID of
>> the user, in order to satisfy the use cases given below. Therefore the
>> unique ID should either be in the name (DN) of the user, or in another
>> attribute. If we choose the latter approach then the DN can be
>> meaningless and not used by any grid request, except as a means to pick
>> up the proper set of attributes
> 
> I agree with you, David.  The security token can be X.509 or SAML or
> whatever, as long as it contains one or more identifiers that taken
> together uniquely identify the user.  It is unreasonable, however, to
> assume the existence of a single globally unique identifier for the
> user, nor is that assumption necessary to solve this problem. 

Noone ever said single! Single and global are independent of each other. 
I expect everyone will have multiple globally unique IDs.
Global is however essential. Otherwise someone else could access my 
patient record as me, since their ID would be identical to mine. This is 
unacceptable. So global is essential. however, as I have said before it 
is trivial to engineer. Every system already has locally unique IDs, so 
you prefix this with globally unique ID of the system.


  A user
> can and will have multiple identities. 

Agreed. I have, including Bill Gates as one of them :-)

  For any given access request,
> only one of those identities is the subject of the request.

And that subject ID either has to be meaningful or meaningless. It cant 
be a bit meaningful, or a bit meaningless. The authz system can handle 
both models, along as we all know which model we are using.

> 
> Even this doesn't get us very far, however.  At some point you have to
> descend into practical considerations, and as always, the devil is in
> the details.

Yes but if you dont get the model and concepts correct first, then the 
detail will become very devilish, confused and confusing, and in the end 
broken.

regards

David

> 
> Cheers,
> Tom
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authn-bof mailing list