Hi Guys,
(no pun intended.)
I think the time is right to try to tackle this on in the VO. I pretty much agree with Guy's write up. I just want to share my current take on some of the issues he brings up. I also want to share part 1 of a 3-part white paper (attached) I'm working on addressing authorization issues (but which also talks about authentication). I think it's largely consistant with Guy's vision. One caveat about the white paper: it is meant to layout how we could manage authorization using a particular grid tool (Globus Community Authorization Service); however, the model need not be dependent on this. I think an equivalent system could be assembled using, say, Shibboleth.
> single sign-on
Yes!
> single registration system
As Guy points out, if we want trust to transfer across administration domains, we need to minimize the number of roots of trust (i.e. CAs). A single registration system for the global VO would do it; however, administratively, I'm not sure how practical this is (because services need to be maintained...$$$...and the whole thing). So, I was thinking perhaps this might be handled on a per-project basis--e.g. NVO, AstroGrid/EVO, JVO, etc.--and then these projects would agree to trust each other's CAs. At least a per-project approach might be a good first step to ultimately a global CA.
> where to register (home institutions)
I'm not sure how doable this is in the near-term for a few reasons:
o I'm not sure I could convince anyone at my home astronomy department
(let alone someone higher up in the University food chain) to take
this responsibility. Perhaps after VO gets more community traction,
this would be more practical.
Shibboleth operates this way, but typically it leverages the
university's library, which already manages users on a university
level. I guess if we use Shibboleth, perhaps we can leverage this
infrastructure.
o Many legitimate users may not be part of an institution that can
readily manage approval. In addition to amateurs and astronomers
working in industry, I think we might include the lone astronomer at
a small teaching college.
Nevertheless, strong trust starts with trusted humans, so this may be the only practical way to do it on the large scale. I'll note that observatories have an operational trust model when the dole out telescope time. Perhaps we can leverage this.
On Thu, 10 Mar 2005, Paul Harrison wrote:
> * In the document you talk about "less-trusted" entities - surely in a
> trust model something should either be trusted or not-trusted, there can
> be no degrees of trust.
Actually, I think we do need to support "less-trusted" entities, as the attached document argues. Many services we'll want to provide, including VOStore, do not actually require that the user connecting is actually who they say they are; they only need to guarantee that the person connecting is the person who originally, say, created the space. This is the model for the hundreds of portals we already have logins for today to which we could have registered a fake name.
I have proposed the concept of a "weak" certificate. These are less trusted certificates that are granted without a human in the loop as is done with a traditional "strong" certificate.
cheers,
Ray