SSO authentication: a new approach

[Paul Harrison]

I agree that this is the best starting point to create an architecture - 
in addition to the text, a diagram would be useful to illustrate the 
trust domains (with their contents) and the trust relationships between 
them. I think that this is a pretty good starting point. I have a couple 
of issues though

* In the document you talk about "less-trusted" entities - surely in a 
trust model something should either be trusted or not-trusted, there can 
be no degrees of trust.

* I think that there should be some discussion of what should be done in 
the case where there needs to be a trust relationship set up between the 
an existing  authentication system (e.g. the existing particle physics 
Grids) and the IVOA one.

Guy Rixon wrote:

>Hi everybody!
>
>The 2004 discussions of single-sign-on authentication stalled due to
>disagreements and misunderstanding about the trust model. Since then, there
>have been other discussions about this (in AstroGrid and in EuroVO-VOTech and
>among the GWS members discussing VOStore). From this, I've synthesized a trust
>model that seems to work and which defines the architecture of an SSO system
>that we could use. Here's the initial document:
>
>  http://wiki.astrogrid.org/bin/view/Astrogrid/TrustModelForVO
>
>(VOTech and AG people: it's compatible with what I said at the DS-3 meeting.)
>
>(VOStore people: it's a poshed-up version of what we discussed earlier this
>week.)
>
>If this finds favour, then I'll write it up as an IVOA document.
>
>It would be good if we could get some consensus on this trust model and
>excellent if it could be agreed by or during the Kyoto interop.
>
>Please note that the trust model sets the requirements for the SSO protocols.
>Until we sort out the trust model we can't sort out SSO.
>
>Cheers,
>Guy
>
>Guy Rixon 				        gtr at ast.cam.ac.uk
>Institute of Astronomy   	                Tel: +44-1223-337542
>Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
>  
>