Shibboleth Developers

[Frank Siebenlist <>]

There is a new Authority Recognition RG at GGF with Paul Madsen as one of the 
chairs. ("http://forge.gridforum.org/projects/arrg-rg/";)

This work builds on and extends the QIK effort.

Research Group Charter:

Trust between entities in many transactions is enabled by a separate authority 
issuing assertions (e.g. X.509 certificates, SAML assertions, Kerberos tickets, 
etc) regarding the identity and/or other characteristics of the actors involved.

The assertions issued by an authority must be recognized as valid and 
appropriate to its requirements before a party will rely on them. Whether or not 
an assertion from a particular authority is appropriate will depend on a number 
of factors, including the commitments the authority makes with respect to the 
assertion, the liabilities the authority is willing to assume, and the 
obligations assumed by the relying party if they use the assertion. Existing 
mechanisms do not facilitate the dissemination of this information from the 
authority to the relying party to enable an informed recognition decision.

The Authority Recognition Research Group of the Grid Forum will explore the 
potential for simple, inexpensive, semi-automatable mechanisms by which a 
relying party will make the decision to recognize the assertions of an 
authority. It is hoped that such mechanisms will simplify and enable the 
establishment of trust between Grid participants.


There is a "Authority Recognition" draft document, which is a good 101 on the 
subject.
"http://forge.gridforum.org/projects/arrg-rg/document/Draft_Authority_Recognition-01/en/1";

Hope this helps.
-Frank.

RL 'Bob' Morgan wrote:

> Ken K mentioned there was a discussion about something called QIK,
> "qualified installation of keys", at the recent GGF meeting, in the CA-Ops
> WG.  I found a paper via Google:
>
>   http://caops.es.net/Documents/GGFVII/AlternativeGovernance.pdf
>
>   "Machine Assisted Trust Mechanisms for Grids", Madsen et al
>
> The main http://caops.es.net/ page claims this work has moved to a new
> (GGF?) research group, but that link doesn't work ...
>
> Anyway I mention it because the basic idea is I think quite consistent
> with our approach to key management in Shib, namely that the use of root
> keys by relying parties has to be associated with policy constraints
> specific to the applications they're used in, and that it helps to be able
> to express these constraints clearly and move them around.  Something like
> this scheme would presumably be how sites would distribute and advertise
> their own Shib metadata.  Paul Madsen, who is first author, is also active
> in Liberty, don't know whether these ideas are reflected there or not ...
>
>  - RL "Bob"

--
Frank Siebenlist               

The Globus Alliance - Argonne National Laboratory