SSO authentication: a new approach

Guy Rixon gtr at ast.cam.ac.uk
Thu Mar 10 05:09:47 PST 2005


Paul,

thanks for the comments.

The "less-trusted" entities are the case where I trust some service to perform
a specific action, which I state via authorization tickets, but not to use my
other privileges. I think this _is_ a form of partial trust; maybe it bneeds
better explanation.

Diagrams will come in due course. I have one suitable one that I need to get
out of power point and I may draw others.

You're right: the interactions with other trust systems need discussion.  I'll
add material about this later.

Guy

On Thu, 10 Mar 2005, Paul Harrison wrote:

> I agree that this is the best starting point to create an architecture -
> in addition to the text, a diagram would be useful to illustrate the
> trust domains (with their contents) and the trust relationships between
> them. I think that this is a pretty good starting point. I have a couple
> of issues though
>
> * In the document you talk about "less-trusted" entities - surely in a
> trust model something should either be trusted or not-trusted, there can
> be no degrees of trust.
>
> * I think that there should be some discussion of what should be done in
> the case where there needs to be a trust relationship set up between the
> an existing  authentication system (e.g. the existing particle physics
> Grids) and the IVOA one.
>
> Guy Rixon wrote:
>
> >Hi everybody!
> >
> >The 2004 discussions of single-sign-on authentication stalled due to
> >disagreements and misunderstanding about the trust model. Since then, there
> >have been other discussions about this (in AstroGrid and in EuroVO-VOTech and
> >among the GWS members discussing VOStore). From this, I've synthesized a trust
> >model that seems to work and which defines the architecture of an SSO system
> >that we could use. Here's the initial document:
> >
> >  http://wiki.astrogrid.org/bin/view/Astrogrid/TrustModelForVO
> >
> >(VOTech and AG people: it's compatible with what I said at the DS-3 meeting.)
> >
> >(VOStore people: it's a poshed-up version of what we discussed earlier this
> >week.)
> >
> >If this finds favour, then I'll write it up as an IVOA document.
> >
> >It would be good if we could get some consensus on this trust model and
> >excellent if it could be agreed by or during the Kyoto interop.
> >
> >Please note that the trust model sets the requirements for the SSO protocols.
> >Until we sort out the trust model we can't sort out SSO.
> >
> >Cheers,
> >Guy
> >
> >Guy Rixon 				        gtr at ast.cam.ac.uk
> >Institute of Astronomy   	                Tel: +44-1223-337542
> >Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
> >
> >
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523



More information about the grid mailing list