SSO authentication: a new approach

[Paul Harrison]

Guy Rixon wrote:

>Paul,
>
>thanks for the comments.
>
>The "less-trusted" entities are the case where I trust some service to perform
>a specific action, which I state via authorization tickets, but not to use my
>other privileges. I think this _is_ a form of partial trust; maybe it bneeds
>better explanation.
>  
>
I still think that we should distinguish between trust (i.e. do we know 
that the entity is what it says it is - i.e. it has identity signed by a 
certificate authority that we know) and the privileges that we assign to 
that identity. I realise that this is not quite the same semantics as 
the ordinary english language word "trust", but I believe that it is the 
meaning that is attached to the word in the security world.

In the discussion so far of  "less-trusted" or "weak certificates" - 
what is actually meant is lower priviledges assigned to an identity that 
is still confirmed by reference to a CA signature, in just the same way 
that a "strong certificate" - i.e. as far as the cryptographic 
confirmation of the identity goes there is no difference.

I might just be being a pedant, but whatever words we use, this way of 
thinking is important in the design.

Paul.