SSO authentication: a new approach
pah at jb.man.ac.uk
Fri Mar 11 01:00:35 PST 2005
Guy Rixon wrote:
>thanks for the comments.
>The "less-trusted" entities are the case where I trust some service to perform
>a specific action, which I state via authorization tickets, but not to use my
>other privileges. I think this _is_ a form of partial trust; maybe it bneeds
I still think that we should distinguish between trust (i.e. do we know
that the entity is what it says it is - i.e. it has identity signed by a
certificate authority that we know) and the privileges that we assign to
that identity. I realise that this is not quite the same semantics as
the ordinary english language word "trust", but I believe that it is the
meaning that is attached to the word in the security world.
In the discussion so far of "less-trusted" or "weak certificates" -
what is actually meant is lower priviledges assigned to an identity that
is still confirmed by reference to a CA signature, in just the same way
that a "strong certificate" - i.e. as far as the cryptographic
confirmation of the identity goes there is no difference.
I might just be being a pedant, but whatever words we use, this way of
thinking is important in the design.
More information about the grid