MSO and multiple communities

Tue Jul 6 06:53:36 PDT 2004

On Tue, 6 Jul 2004, Dave Morris wrote:

> Guy Rixon wrote:
>
> >>Would it work if a Community issued a warrant (certificate) when an
> >>Account joined a Group at that Community ?
> >>An Account would then have a primary identity certificate signed by
> >>their 'home' Community, to prove who they are, plus a set of membership
> >>certificates signed by other Communities to prove that they belong to
> >>Groups on those Communities.
> >
> >Nearly.  The warants are supposed to be short-lived, so the group warrants
> >have to be collected at time of sign-on (start of each session). Therefore,
> >one has to be able to find all the group-granting communities from the primary
> >community.  That's doable.
> >
> >
> Yep, if a Community for an Account keeps a list of Groups that that
> Account is a member of, then it can use this to get the membership warrants.
> Could even be delayed, and only done when a warrant is required.
> Client service could keep a cache of membership warrants for this
> session, and only call the remote Communitites when it needs to prove
> group membership.
> This avoids a message storm of warrant requests when a user logs in to
> check the news pages.
>
> However, there is a useability problem with this model.
> a) The user needs to be aware of what membership warrants are required
> for which actions and selects them when designing a workflow.

This would be a policy look-up on the registry.

> b) All the membership warrants are sent with every message (message
> bloat - a 2 line status request may end up with 50+ warrants in the header).

A good reason for using X.509 instead of SAML - much more compact.

> c) The system works it all out - a complex problem that we havn't solved
> yet (particularly if workflow execution can dynamically swap between
> equivalent services based on availability etc.)

(d) Back to the pull model: service knows which groups are relevant (because
service has internal authorization tables mapping groups to privileges) and
which communities host which groups (because it looked them up when setting
up its authZ tables); so service pulls the warrants required from the
community services.

Pro: minimized warrants sent to service.

Con: service has to interact with many communities at time of call;
all must be up and there are more (but smaller) messages.

Con: user agent has to associate the same key pair with all the communities
=> user agent has to log in to each community at the start of the session
=> use ragent has to know which communities are relevant.

> Dave
>
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523