MSO and multiple communities
Guy Rixon
gtr at ast.cam.ac.uk
Wed Jul 7 04:46:12 PDT 2004
On Wed, 7 Jul 2004, John Taylor wrote:
> > > >Suppose my identity is in community C1 and my group is in C2. My
> target
> > > >service trusts C2 but not C1.
> > > >
> > > If the service S does not trust your originating community C1, then you
> > > can't access the service.
> > > End of story.
> >
> > OK...in that case S only trusts a group warrant from C2 if the warrant is
> > names an indivdual account, at some Ci and S also trusts Ci. I.e., the
> group
> > warrant can't say 'the bearer of the public key xyz is a member of group
> G';
> > it has to say that 'the caller X is a member of group G provided that you
> > can authenticate X as individual user I'. Possible, but we'd better be
> aware
> > of the distinction.
>
> Doesn't C2 just need to say to S 'the caller X is a member of group G and Ci
> has authenticated X as user I'? Then S can say "all very well, but I don't
> trust Ci. Service denied". Since S trusts C2, it can surely trust C2 not
> to spoof X's authenticating community.
C2 can only say this if it was involved in the logging-in process. Otherwise,
it doesn't have all the information.
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid
mailing list