MSO and multiple communities

Guy Rixon gtr at ast.cam.ac.uk
Tue Jul 6 07:16:27 PDT 2004


On Tue, 6 Jul 2004, Tony Linde wrote:

> > If we say that a user can be in a group in a community but
> > not actually in that community, then isn't a bit hard?
>
> Why? The list of members in the group includes that user's account id. No?

Suppose my identity is in community C1 and my group is in C2.  My target
service trusts C2 but not C1.  I can sign in to C2, to get the group warrant
in two ways:

 1. directly, without reference to C1;

 2. indirectly,  by signing in to C1 and having C1 get the warrant from C2.

In case 1, the identity registration in C1 has no purpose, since I dont use it
to get the warrant.

In case 2, C2 is betraying S's trust because it is making its own security
dependent on the security at C1, which S distrusts.



More information about the grid mailing list