Access control use-cases

Guy Rixon gtr at ast.cam.ac.uk
Wed Jul 12 08:42:13 PDT 2006 

On Wed, 12 Jul 2006, Norman Gray wrote:

> > In this
> > case, the federation downgrades rights of the strongly-certified
> > identity to those appropriate for the most-weakly-certified identity.
>
> If I'm understanding you correctly, shouldn't this be the other way
> around, so that you get the union of the rights that each certificate
> would give you (monotonicity)?

No, I meant it as I wrote it. If there are resource A which is precious
and resource B which is less so, then the provider can require a greater
degree of trust before allowing access to A. If I can get at A with identity
x, which is strongly certified and I can get at B through identity y (weakly
certified) then it's OK to let me get at A+B from x but it's a security breach
to let me get at A+B from y.

> > Perhaps we need consistent levels of strength of certification for
> > interoperation? The three levels that seem managable are:
> >
> >  - Has working email address (as originally suggested by
> >    Ray Plante in respect of weak CAs).
> >
> >  - Known to local RA/CA within VObs community (AstroGrid's
> >    community model).
> >
> >  - Approved by national-level grid Policy Management Authority
> >    (having given DNA sample or first-born child as hostage or
> > whatever).
>
> Organisations like Thawte seem to have a similar set of assurance
> levels, but there appears to be no standardised way of indicating
> which one's which.  It _appears_ that what the relyer has to do is
> deduce which type of certificate is which, based on the presence or
> absence of various attributes, and then compare those with the CA's
> Certification Practice Statement, to decide if the assurance for the
> certificate is adequate for the relyer's purposes.  In other words,
> that's special-case code, though it only has to be done once for each
> CA the resource owner cares about.

So I'm suggesting that the resource provider set up the special-case code only
for these three cataegories (expanded from 3 at need) and that a list be
published of which CAs fit into which category. In fact, it's only necessary
to list CAs in the top two categories; everything else is in the weakest by
default.

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

More information about the grid mailing list