SSO authentication: a new approach

[Ray Plante]

Hi John,

> Basically, if a user can upload an arbitrary file anonymously and propogate
> a URL so that others can access it anonymously, we have a big problem.

I don't dispute this.  While VOStore provides a major motivation for
addressing the authentication/authorization issue, this thread started
with a more general perspective that was not intended to be limited to the
VOStore application.

> All IRSA services create result subdirectories in a workspace tied to
> the user by HTTP cookie.  As soon as there is a final spec, that workspace
> will become a VOStore.  We will continue to allow anonymous
> access through the same mechanisms we do now, including upload of
> files for specific purposes (e.g. catalog cross-comparison) but we will
> NOT allow a general  "PUT" by anyone who does not have a confirmed
> identity.

I take it from your discussion that your IRSA users do not have to "log
on" to take advantage of use of the workspace.  Perhaps because a user's
access to it is short-lived (a single session) and thus would be
restricted to a single client machine?  I have to log on to Travelocity to
get my saved itineraries (thus I can do this from any machine).  In the
VO, if I save results from a database search, not only would it be nice to
let it persist beyond my session, but also allow agents I direct from
other sites to access it.  The log-in used to protect this data should not
be separate from our VO single-sign-on, and it would be nice if I didn't
have to wait to get my identity confirmed to begin using it in this
restricted sense.

Hopefully, I've exhausted this thread.  ;-)

cheers,
Ray