[ogsa-authn-bof] Use Cases

David Chadwick d.w.chadwick at kent.ac.uk
Wed Feb 14 05:25:41 CST 2007 


Von Welch wrote:
> 
>> Method 2 is used by Shibboleth systems.
> 
> I believe you are referring to the name of name identifier used by 
> Shibboleth, specifically the transient handle.
> 
> Shibboleth can do that, it can also us a targeted identified (e.g. 
> eduPersonTargetedId), which is not globally unique, but consistent for a 
> given service provider.
> 
>> So the essence of the problem we are discussing is that we have to
>> decide which system to use in a combined grid/shib system.
> 
> I think it's a little more complex than that. Shibboleth can provide to 
> the translating entity (e.g. a GridShib-CA) some from of an identifier 
> (transient, targeted) and some collection of attributes. The question at 
> hand is to come up with at least one profile where Shibboleth provides a 
> particular identifier and set of attributes and then how those are 
> converted to a DN, with a definition of the semantics of that DN.

Hi Von

I dont really think this is the essence of the problem. I think the 
essence of the problem is authorisation i.e. How does the PDP know if 
this user can access this resource? The PDP has to have a set of 
attributes in which at least one of them gives the globally unique ID of 
the user, in order to satisfy the use cases given below. Therefore the 
unique ID should either be in the name (DN) of the user, or in another 
attribute. If we choose the latter approach then the DN can be 
meaningless and not used by any grid request, except as a means to pick 
up the proper set of attributes

regards

David



> 
> Von
> 
> On Feb 13, 2007, at 3:32 AM, David Chadwick wrote:
> 
>> Perhaps a couple of use cases will serve to highlight the conceptual
>> issues we are talking about (without getting into implementation
>> specifics, which can follow later).
>>
>> Use case 1. A distributed medical health care records system has a
>> security policy which says that every patient can read their own health
>> care record and their GP and consultant can update their records
>>
>> Use case 2. A financial system's security policy says that only an
>> account holder can update his account details.
>>
>> In both of the above use cases, the user must have a globally unique
>> identifier so that no matter when or from where he accesses the database
>> record in question, the access control system can function properly.
>>
>> I see two ways in which this can be achieved.
>>
>> Method 1. Every time the user logs in, no matter the time or location,
>> the authentication system recognises him and assigns to him the same
>> globally unique ID. This is then used by the access control system to
>> enforce access rights. We could call this the traditional method.
>>
>> Method 2. Every time the user logs in, the authentication system
>> recognises him but assigns to him a completely different anonymised ID.
>> This ID is of little use to the access control system since it is time
>> and/or location dependent. Therefore the set of attribute assertions
>> that are subsequently released to the application's access control
>> system must contain the user's globally unique ID. We could call this
>> the privacy protection method.
>>
>> Method 1 is usually used by Grid systems and Globus toolkit.
>> Method 2 is used by Shibboleth systems.
>>
>> So the essence of the problem we are discussing is that we have to
>> decide which system to use in a combined grid/shib system.
>>
>> regards
>>
>> David
>>
>>
>> -- 
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Skype Name: davidwchadwick
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick at kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: 
>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>> _______________________________________________
>> ogsa-authn-bof mailing list
>> ogsa-authn-bof at ogf.org
>> http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
>>
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authn-bof mailing list