MSO and multiple communities

[Dave Morris]

Guy Rixon wrote:

>>Would it work if a Community issued a warrant (certificate) when an
>>Account joined a Group at that Community ?
>>An Account would then have a primary identity certificate signed by
>>their 'home' Community, to prove who they are, plus a set of membership
>>certificates signed by other Communities to prove that they belong to
>>Groups on those Communities.
>>    
>>
>
>Nearly.  The warants are supposed to be short-lived, so the group warrants
>have to be collected at time of sign-on (start of each session). Therefore,
>one has to be able to find all the group-granting communities from the primary
>community.  That's doable.
>  
>
Yep, if a Community for an Account keeps a list of Groups that that 
Account is a member of, then it can use this to get the membership warrants.
Could even be delayed, and only done when a warrant is required.
Client service could keep a cache of membership warrants for this 
session, and only call the remote Communitites when it needs to prove 
group membership.
This avoids a message storm of warrant requests when a user logs in to 
check the news pages.

However, there is a useability problem with this model.
a) The user needs to be aware of what membership warrants are required 
for which actions and selects them when designing a workflow.
b) All the membership warrants are sent with every message (message 
bloat - a 2 line status request may end up with 50+ warrants in the header).
c) The system works it all out - a complex problem that we havn't solved 
yet (particularly if workflow execution can dynamically swap between 
equivalent services based on availability etc.)

Dave