Skip to Content.
Sympa Menu

shibboleth-dev - Re: QIK proposal re public key management

Subject: Shibboleth Developers

List archive

Re: QIK proposal re public key management


Chronological Thread 
  • From: Frank Siebenlist <>
  • To: "RL 'Bob' Morgan" <>
  • Cc: Shibboleth Dev Team <>
  • Subject: Re: QIK proposal re public key management
  • Date: Wed, 15 Oct 2003 21:42:38 -0700

There is a new Authority Recognition RG at GGF with Paul Madsen as one of the chairs. ("http://forge.gridforum.org/projects/arrg-rg/";)

This work builds on and extends the QIK effort.

Research Group Charter:

Trust between entities in many transactions is enabled by a separate authority issuing assertions (e.g. X.509 certificates, SAML assertions, Kerberos tickets, etc) regarding the identity and/or other characteristics of the actors involved.

The assertions issued by an authority must be recognized as valid and appropriate to its requirements before a party will rely on them. Whether or not an assertion from a particular authority is appropriate will depend on a number of factors, including the commitments the authority makes with respect to the assertion, the liabilities the authority is willing to assume, and the obligations assumed by the relying party if they use the assertion. Existing mechanisms do not facilitate the dissemination of this information from the authority to the relying party to enable an informed recognition decision.

The Authority Recognition Research Group of the Grid Forum will explore the potential for simple, inexpensive, semi-automatable mechanisms by which a relying party will make the decision to recognize the assertions of an authority. It is hoped that such mechanisms will simplify and enable the establishment of trust between Grid participants.


There is a "Authority Recognition" draft document, which is a good 101 on the subject.
"http://forge.gridforum.org/projects/arrg-rg/document/Draft_Authority_Recognition-01/en/1";

Hope this helps.
-Frank.

RL 'Bob' Morgan wrote:

Ken K mentioned there was a discussion about something called QIK,
"qualified installation of keys", at the recent GGF meeting, in the CA-Ops
WG. I found a paper via Google:

http://caops.es.net/Documents/GGFVII/AlternativeGovernance.pdf

"Machine Assisted Trust Mechanisms for Grids", Madsen et al

The main http://caops.es.net/ page claims this work has moved to a new
(GGF?) research group, but that link doesn't work ...

Anyway I mention it because the basic idea is I think quite consistent
with our approach to key management in Shib, namely that the use of root
keys by relying parties has to be associated with policy constraints
specific to the applications they're used in, and that it helps to be able
to express these constraints clearly and move them around. Something like
this scheme would presumably be how sites would distribute and advertise
their own Shib metadata. Paul Madsen, who is first author, is also active
in Liberty, don't know whether these ideas are reflected there or not ...

- RL "Bob"


--
Frank Siebenlist

The Globus Alliance - Argonne National Laboratory




Archive powered by MHonArc 2.6.16.

Top of Page