MSO and multiple communities
Guy Rixon
gtr at ast.cam.ac.uk
Tue Jul 6 08:15:24 PDT 2004
On Tue, 6 Jul 2004, Dave Morris wrote:
> Guy Rixon wrote:
>
> >On Tue, 6 Jul 2004, Tony Linde wrote:
> >
> >
> >
> >>>If we say that a user can be in a group in a community but
> >>>not actually in that community, then isn't a bit hard?
> >>>
> >>>
> >>Why? The list of members in the group includes that user's account id. No?
> >>
> >>
> >
> >Suppose my identity is in community C1 and my group is in C2. My target
> >service trusts C2 but not C1.
> >
> If the service S does not trust your originating community C1, then you
> can't access the service.
> End of story.
OK...in that case S only trusts a group warrant from C2 if the warrant is
names an indivdual account, at some Ci and S also trusts Ci. I.e., the group
warrant can't say 'the bearer of the public key xyz is a member of group G';
it has to say that 'the caller X is a member of group G provided that you
can authenticate X as individual user I'. Possible, but we'd better be aware
of the distinction.
Also bear in mind that it's impossible to make a CA secure retroactively. You
have to shut down the CA, kick all the miscreants out of the community (or
have all the community members re-register), then rebuild all the remote
groups and start over with a new CA with a new certficate. So we'd better
start the communities off on a good footing.
> I'm not sure I see the problem though.
> It puts the responsibility on Community administrators to make their
> Communities trustworthy.
>
> Don't register with an insecure Community.
>
> Dave
>
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid
mailing list