[OGSA-AUTHZ] Next Telecon

Wed Nov 1 09:47:19 CST 2006

Hi Tom

Sorry but I have to disagree with you.

Tom Scavo wrote:

> In the final analysis, yes, but the Grid SP (taken as a whole) needs
> to know 1) what is the preferred IdP of the user,

Why does it need to know this? Surely the SP only needs to know which 
IdPs it trusts, but not which user is associated with which IdP. Only 
the user needs to know this and will choose it himself by WAYF or other 
means.

  and 2) what AA
> endpoint to query.  Before the CVS can determine the latter, the PEP
> must supply the former.

I agree with this (except that for small grids, the CVS can have a set 
of preconfigured AAs that it trusts. Actually even large grids can make 
do with this if there are a few globally trusted AAs. Consider Visa and 
Amex for instance. All the shopkeepers in the world only need to know 
these two or three AAs and no more for them to accept requests from the 
entire global population.)

   So I claim the unique identifier of the IdP
> (entityID) must travel from the user to the PEP to the CVS. 

I disagree. From the user to the PEP yes, since this will use it for 
authentication, but the CVS does not need to know this information.

  Then and
> only then can the CVS determine the appropriate endpoint to query.

No, the message from the PEP can contain this information directly

regards

David

> 
> Tom
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************