MSO and multiple communities

Guy Rixon gtr at ast.cam.ac.uk
Tue Jul 6 07:07:34 PDT 2004


On Tue, 6 Jul 2004, Tony Linde wrote:

> > Suppose user U joins community A. Service providers X and Y
> > trust A, therefore accept requests from U(A). Service
>
> I'm not sure I know what you mean by trust.
>
> I would have thought trust was to do with authentication. You authenticate
> yourself to the server to which you sign on and rely on that server being
> trusted by downstream servers.

Yes.

> If you mean privileges, these reside in the groups. If a person is a member
> of a group then they have the privileges of that group. That may include
> access to data, storage rights at a given location etc.

Yes.

> How a (data, storage, etc) service knows that it can trust some request that
> says that the person belongs to a privileged group is another issue, but it
> still has nothing to do with communities.

No. In the proposed model, the community is the certficate authority.  The
service provider has to trust the operation of the CA in order to accept that
CA's warrants _during authentication_.  If the service provider doesn't trust
a community's CA then authentication fails.

In fact, there are three distinct trust relationships between service S and
community CA C:

 1. S trusts C;

 2. S does not know C;

 3. S actively distrusts C (thinks C's security is broken).



More information about the grid mailing list