SSO authentication: a new approach
gtr at ast.cam.ac.uk
Thu Mar 10 05:09:47 PST 2005
thanks for the comments.
The "less-trusted" entities are the case where I trust some service to perform
a specific action, which I state via authorization tickets, but not to use my
other privileges. I think this _is_ a form of partial trust; maybe it bneeds
Diagrams will come in due course. I have one suitable one that I need to get
out of power point and I may draw others.
You're right: the interactions with other trust systems need discussion. I'll
add material about this later.
On Thu, 10 Mar 2005, Paul Harrison wrote:
> I agree that this is the best starting point to create an architecture -
> in addition to the text, a diagram would be useful to illustrate the
> trust domains (with their contents) and the trust relationships between
> them. I think that this is a pretty good starting point. I have a couple
> of issues though
> * In the document you talk about "less-trusted" entities - surely in a
> trust model something should either be trusted or not-trusted, there can
> be no degrees of trust.
> * I think that there should be some discussion of what should be done in
> the case where there needs to be a trust relationship set up between the
> an existing authentication system (e.g. the existing particle physics
> Grids) and the IVOA one.
> Guy Rixon wrote:
> >Hi everybody!
> >The 2004 discussions of single-sign-on authentication stalled due to
> >disagreements and misunderstanding about the trust model. Since then, there
> >have been other discussions about this (in AstroGrid and in EuroVO-VOTech and
> >among the GWS members discussing VOStore). From this, I've synthesized a trust
> >model that seems to work and which defines the architecture of an SSO system
> >that we could use. Here's the initial document:
> > http://wiki.astrogrid.org/bin/view/Astrogrid/TrustModelForVO
> >(VOTech and AG people: it's compatible with what I said at the DS-3 meeting.)
> >(VOStore people: it's a poshed-up version of what we discussed earlier this
> >If this finds favour, then I'll write it up as an IVOA document.
> >It would be good if we could get some consensus on this trust model and
> >excellent if it could be agreed by or during the Kyoto interop.
> >Please note that the trust model sets the requirements for the SSO protocols.
> >Until we sort out the trust model we can't sort out SSO.
> >Guy Rixon gtr at ast.cam.ac.uk
> >Institute of Astronomy Tel: +44-1223-337542
> >Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid