Skip to Content.
Sympa Menu

shibboleth-dev - RE: Fwd: More detailed Grid scenarios

Subject: Shibboleth Developers

List archive

RE: Fwd: More detailed Grid scenarios


Chronological Thread 
  • From: "David L. Wasley" <>
  • To: Scott Cantor <>, "'Von Welch'" <>
  • Cc:
  • Subject: RE: Fwd: More detailed Grid scenarios
  • Date: Mon, 12 Jan 2004 15:22:36 -0800
That's a good example, and the answer is basically "nothing." In fact that
example has come up in the context of PKI credentials - why not simply use
whatever cert a student has when they come to campus instead of issuing them
a new, campus cert?

If you decompose the problem of access management into (1) having some
reliable digital token associated with a particular individual and (2) being
able to use that token to obtain necessary and reliable information about
that individual, then one can imagine outsourcing one, or even both, aspects.

WRT a reliable token - if it is outsourced, i.e. a token issued to someone by
a different party, then I'd want to know how strong the binding is, how
unique and persistent the token is, etc. Given that it is reliable enough, I
might choose to use it at least for some things, e.g. application for
admission, or maybe lots of things.

WRT information associated with the token - I might choose to believe some
things from an external party, e.g. human name, but not others, e.g. grade in
Physics 101. It's definitely the information for which the institution is
authoritative that it wants to control.

As for VO versus O, the only distinction I can come up with is that it may
not have a physical "home" (it camps out in existing homes :-). It clearly
has "history" and "records," it may have "legal standing," especially if it
has "assets" or "liabilities." It has some mechanism for deciding who is a
member and when they are no longer a member (the "in's" vs the "out's"). It
might even have money and pay salaries!

So here's maybe the bottom line for the class of VO-like groups: can they
"borrow" use of an AA from an existing organization? In other words, they
"borrow" office space, local human identifiers, machine room space,
secretarial help, etc. etc. In order to manage access to their on-line
resources, they may need to "borrow" AuthZ support from somewhere.

I'd love to hear from others about VO versus O ...

David
-----
At 5:12 PM -0500 on 1/12/04, Scott Cantor wrote:

> > What am I missing?
>
>In my mind, there's nothing missing here except a meaningful distinction
>between VO and O. If I as a small community college want to outsource my
>authentication (but not authz) to some third party, how am I any different
>than a VO in your model?
>
>-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page