Thus spake Larry Peterson on Thu, Jun 11, 2009 at 10:33:35AM -0400:
> I think the SFA design also decouples authentication from
> authorization. The GID is a certificate that identifies an entity,
> chained back to someone I trust. We can quibble about the
> definition of the GID (e.g., whether it needs a UUID or a public
> key is sufficient to uniquely identify the entity), but that's the
> general idea.
Right, I think the decision that a GID decouples authentication and
authorization is pretty clear. The other big decision point is whether
they should couple authorization and identity. As written in the SFA and
other places, they conflate the two by using a public key as part of the
identity. We're going down a route that separates the two.
The GMOC project has put together a proposal based on URNs (RFC 2141),
which are used solely for identification purposes. We're in the process
of implementing it. (I'd link to their doc, but I don't see it up on
their website - I'll ask them about it):
http://gmoc.grnoc.iu.edu/gmoc/index.html--
/-----------------------------------------------------------
| Robert P Ricci <
ricci@...> | <
ricci@...>
| Research Associate, University of Utah Flux Group
| www.flux.utah.edu | www.emulab.net
\-----------------------------------------------------------
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
