[ogsa-authn-bof] Use Cases
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Feb 13 03:32:06 CST 2007
Perhaps a couple of use cases will serve to highlight the conceptual
issues we are talking about (without getting into implementation
specifics, which can follow later).
Use case 1. A distributed medical health care records system has a
security policy which says that every patient can read their own health
care record and their GP and consultant can update their records
Use case 2. A financial system's security policy says that only an
account holder can update his account details.
In both of the above use cases, the user must have a globally unique
identifier so that no matter when or from where he accesses the database
record in question, the access control system can function properly.
I see two ways in which this can be achieved.
Method 1. Every time the user logs in, no matter the time or location,
the authentication system recognises him and assigns to him the same
globally unique ID. This is then used by the access control system to
enforce access rights. We could call this the traditional method.
Method 2. Every time the user logs in, the authentication system
recognises him but assigns to him a completely different anonymised ID.
This ID is of little use to the access control system since it is time
and/or location dependent. Therefore the set of attribute assertions
that are subsequently released to the application's access control
system must contain the user's globally unique ID. We could call this
the privacy protection method.
Method 1 is usually used by Grid systems and Globus toolkit.
Method 2 is used by Shibboleth systems.
So the essence of the problem we are discussing is that we have to
decide which system to use in a combined grid/shib system.
regards
David
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authn-bof
mailing list