SSO authentication: a new approach

Ray Plante rplante at ncsa.uiuc.edu
Thu Mar 10 08:39:38 PST 2005


Hi Guys,

(no pun intended.)

I think the time is right to try to tackle this on in the VO.  I pretty 
much agree with Guy's write up.  I just want to share my current take on 
some of the issues he brings up.  I also want to share part 1 of a 3-part 
white paper (attached) I'm working on addressing authorization issues 
(but which also talks about authentication).  I think it's largely 
consistant with Guy's vision.  One caveat about the white paper: it is 
meant to layout how we could manage authorization using a particular grid 
tool (Globus Community Authorization Service); however, the model need not 
be dependent on this.  I think an equivalent system could be assembled 
using, say, Shibboleth.  

> single sign-on

Yes!

> single registration system

As Guy points out, if we want trust to transfer across administration 
domains, we need to minimize the number of roots of trust (i.e. CAs).  A 
single registration system for the global VO would do it; however, 
administratively, I'm not sure how practical this is (because services 
need to be maintained...$$$...and the whole thing).  So, I was thinking 
perhaps this might be handled on a per-project basis--e.g. NVO, 
AstroGrid/EVO, JVO, etc.--and then these projects would agree to trust 
each other's CAs.  At least a per-project approach might be a good first 
step to ultimately a global CA.  

> where to register (home institutions)

I'm not sure how doable this is in the near-term for a few reasons:

  o  I'm not sure I could convince anyone at my home astronomy department 
     (let alone someone higher up in the University food chain) to take 
     this responsibility.  Perhaps after VO gets more community traction, 
     this would be more practical.  

     Shibboleth operates this way, but typically it leverages the 
     university's library, which already manages users on a university 
     level.  I guess if we use Shibboleth, perhaps we can leverage this 
     infrastructure.  

  o  Many legitimate users may not be part of an institution that can 
     readily manage approval.  In addition to amateurs and astronomers 
     working in industry, I think we might include the lone astronomer at 
     a small teaching college.

Nevertheless, strong trust starts with trusted humans, so this may be the 
only practical way to do it on the large scale.  I'll note that 
observatories have an operational trust model when the dole out telescope 
time.  Perhaps we can leverage this.  

On Thu, 10 Mar 2005, Paul Harrison wrote:
> * In the document you talk about "less-trusted" entities - surely in a 
> trust model something should either be trusted or not-trusted, there can 
> be no degrees of trust.

Actually, I think we do need to support "less-trusted" entities, as the 
attached document argues.  Many services we'll want to provide, including 
VOStore, do not actually require that the user connecting is actually who 
they say they are; they only need to guarantee that the person connecting 
is the person who originally, say, created the space.  This is the model 
for the hundreds of portals we already have logins for today to which we 
could have registered a fake name.  

I have proposed the concept of a "weak" certificate.  These are less 
trusted certificates that are granted without a human in the loop as is 
done with a traditional "strong" certificate.  

cheers,
Ray



-------------- next part --------------
A non-text attachment was scrubbed...
Name: CommunityAuthorizationP1.pdf
Type: application/pdf
Size: 127721 bytes
Desc: 
URL: <http://www.ivoa.net/pipermail/grid/attachments/20050310/ff0359de/attachment-0001.pdf>


More information about the grid mailing list