SSO authentication: a new approach

Ray Plante rplante at ncsa.uiuc.edu
Mon Mar 14 14:48:52 PST 2005


Hey Paul,

On Fri, 11 Mar 2005, Paul Harrison wrote:
> In the discussion so far of  "less-trusted" or "weak certificates" - 
> what is actually meant is lower priviledges assigned to an identity that 
> is still confirmed by reference to a CA signature, in just the same way 
> that a "strong certificate" - i.e. as far as the cryptographic 
> confirmation of the identity goes there is no difference.

In my view of the idea of "weak certificates" is not simply an issue of 
lower priviledges.  Consider your definition...

> I still think that we should distinguish between trust (i.e. do we know 
> that the entity is what it says it is - i.e. it has identity signed by a 
> certificate authority that we know) ...

With a weak certificate, we *don't* know that the entity is what it says
it is.  We only know that the entity is the same entity as the last time
it came around.  The point is that with a Weak CA, we cannot put full
trust in it because it is easy for users to register false identities.

I sense that an underlying principle that you are trying to get at is that
authentication and determining authorization are separate operations.
If so, I agree whole-heartedly.  In the case of weak certificates, the
CA that signs the cert can be used in part to assign priviledges.  

cheers,
Ray



More information about the grid mailing list