shibboleth-dev - Re: Using X.509 instead of Handles in AQM?
Subject: Shibboleth Developers
List archive
- From: "Von Welch" <>
- To: "RL 'Bob' Morgan" <>
- Cc: Shibboleth Dev Team <>
- Subject: Re: Using X.509 instead of Handles in AQM?
- Date: Wed, 5 Nov 2003 09:41:14 -0600
RL 'Bob' Morgan writes (09:19 November 4, 2003):
...
> Shib 1.1 only supports handles in various guises. Adding specific other
> subject identifiers would have to be done as part of a profile of the
> whole scenario, it seems to me; ie, not just "use a DN" but also say where
> it comes from in the cert, how it relates to cert issuer, etc.
I'm not sure if you're saying here that a subject name may not be
sufficient (for example, identity should be expressed as both Issuer
and Subject Name) or that you may only want some portion of the name
(for example, just pull out the CN and send to the AA)?
...
> I think you're suggesting a scenario where the user gets attribute
> statements from an Attribute Authority and then passes them along to
> someone else.
More generally I'm thinking about the scenario where the identity
issuer is not the same organization as the attribute authority or
authorities.
For example, the DOE Grids CA currently serves a number of VOs by
issuing identity certificates to their users. These certificates have
a flat namespace (i.e. no indication of VO membership), because users
then to be members of multiple VOs, switch VOs, etc.
These VOs and their resource providers are already badly wanting some
sort of RBAC. In the simplest case the same folks running the DOE
Grids CA could run an AA for all the VOs and just let them administer
their policy space in that authority.
But I fear there will be VOs, that for various reasons both good and
bad, that will run their own AA.
So I'm thinking about how the WAYF problem will be solved in a
non-interacive scenario where multiple AAs are associated with an
single identity provider. So far it seems like one would either need
one or more WAYF tokens that get pushed around or push the attributes
themselves.
(Just to be clear, solving this problem is something I'd put clearly
second to having a good AA per identity provider working - don't let
the perfect stand in the way of the good - but I'm just wanting to
understand how hard it would be to solve with Shib.)
> - RL "Bob"
Thanks,
Von
- Using X.509 instead of Handles in AQM?, Von Welch, 11/04/2003
- Re: Using X.509 instead of Handles in AQM?, RL 'Bob' Morgan, 11/04/2003
- RE: Using X.509 instead of Handles in AQM?, Scott Cantor, 11/04/2003
- RE: Using X.509 instead of Handles in AQM?, RL 'Bob' Morgan, 11/04/2003
- RE: Using X.509 instead of Handles in AQM?, Scott Cantor, 11/04/2003
- Re: Using X.509 instead of Handles in AQM?, Walter Hoehn, 11/04/2003
- RE: Using X.509 instead of Handles in AQM?, RL 'Bob' Morgan, 11/04/2003
- Re: Using X.509 instead of Handles in AQM?, Von Welch, 11/05/2003
- RE: Using X.509 instead of Handles in AQM?, Scott Cantor, 11/04/2003
- Re: Using X.509 instead of Handles in AQM?, RL 'Bob' Morgan, 11/04/2003
Archive powered by MHonArc 2.6.16.