SSO authentication: a new approach
Ray Plante
rplante at ncsa.uiuc.edu
Wed Mar 16 16:23:29 CET 2005
On Wed, 16 Mar 2005, Paul Harrison wrote:
> What makes it a pain normally to get a certificate (in the UK at least)
> is that once you have made the certificate request with the shared
> secret from your private key, you are expected to turn up in person at
> the CA before they will push the button to send the signed certificate
> back to you - we could relax that process so that the CA always will
> return the signed certificate without this human step. At which point
> the identity confirmed by the certificate is effectively a member of the
> anonymous community - for this identity to be admitted into other more
> priviledged communities perhaps they would have to undergo some more
> rigorous identity check. It means that when checking for authority to do
> an operation, the priviledges will have been assigned to communities and
> then a community service will have to be consulted to check it the
> identity belongs to the community.
This seems a reasonable alternative. I had had the idea that
authorization policy should set locally by service providers; however,
this plan would require this association with the anonymous community at a
higher (say, VO project) level.
(Thanks for pushing on this thread!)
cheers,
Ray
More information about the dsp
mailing list