MSO and multiple communities
John Taylor
jdt at roe.ac.uk
Wed Jul 7 04:38:35 PDT 2004
> > >Suppose my identity is in community C1 and my group is in C2. My
target
> > >service trusts C2 but not C1.
> > >
> > If the service S does not trust your originating community C1, then you
> > can't access the service.
> > End of story.
>
> OK...in that case S only trusts a group warrant from C2 if the warrant is
> names an indivdual account, at some Ci and S also trusts Ci. I.e., the
group
> warrant can't say 'the bearer of the public key xyz is a member of group
G';
> it has to say that 'the caller X is a member of group G provided that you
> can authenticate X as individual user I'. Possible, but we'd better be
aware
> of the distinction.
Doesn't C2 just need to say to S 'the caller X is a member of group G and Ci
has authenticated X as user I'? Then S can say "all very well, but I don't
trust Ci. Service denied". Since S trusts C2, it can surely trust C2 not
to spoof X's authenticating community.
=====================================
John Taylor +44 (0) 131 668 8328
Astrogrid Java Developer
Royal Observatory of Edinburgh
http://www.roe.ac.uk/ifa/about/directory.html
=====================================
More information about the grid
mailing list