SSO authentication: a new approach

Ray Plante rplante at ncsa.uiuc.edu
Tue Mar 15 01:29:28 PST 2005


On Tue, 15 Mar 2005, Paul Harrison wrote:
> I think that the distinction would have a bearing on any design - 
> instead of having different classes of CA, all CAs would be equal, but 
> the  less privileged user would only be registered in a low priviledge 
> community for instance.

I'm trying to address a very practical problem:  the hassle of getting a 
certificate.  I want to allow users to be able to fill out a registration 
form and begin access restricted services immediately.  This is not the 
current practice with cert-based trust models.  Many sites provide 
immediate restricted access without the use of certs, so why bother?  
Because we don't need to support two forms of authentication, for one; 
interoperability across sites, for two.  

So, do you want to see an easier way to get a certificate?  If not, then
weak certs are not useful.  If so, can you really trust a process that
cuts corners for expediancy as much as a process that takes greater care?  
When you assign lower priviledges to a user (because we're not really sure
they are who they say they are), how do you do that?  For one, how do you
recognize that this person should get lower priviledges?  You can only do
it if you control both the granting of the certificate AND the assigning
of priviledge.  Priviledges, however, are assigned by the maintainer of
service and not the CA.

I claim that the current existance of register-and-go portals (which we 
all have more accounts on than we can remember) demonstrates the desire 
on both the part of users and providers for weaker authentication.  

cheers,
Ray




More information about the grid mailing list