Re: What are GIDs good for?

We extend ProtoGENI's notion (of separating identity and  
authentication/authorization) in all of our projects by separating the  
identity (of entities) from any of the varying and contextual  
attributes/processes. Identifiers, then, are generally opaque and non-
semantic, and may be used to identify any entity/resource  
(individuals, documents, processes, etc.). However, we associate  
related attributes (such as public key, credential set, associated  
policy, personal preferences, associated URL for the entity), aka  
record, by registering those identifiers and corresponding (mutable)  
records in a system. Now, any interested party, (an authentication  
system, or authorizing system, or policy evaluation system), may be  
able to get related information for any identifier by resolving that  
identifier using the registered system. The idea of separating  
identifiers from any of the varying attributes, we think, results in  
longevity of the projects that import this concept and eliminates some  
of the management issues at an early stage. For example, if public  
keys are used as identifiers for users, what if the private way of a  
particular user was compromised? Wouldn't the identifier (public key)  
for the user change when a new pair of keys are generated, and, if so,  
how would this translate into trust and other aspects? In any case, I  
think, this issue needs to be addressed at this stage to be able to  
perform federations, for example, as Max Ott hinted.

FYI:

The resolvable identifiers, aka Handles, and the registration system,  
aka the Handle System, are defined in RFCs 3650, 3651 and 3652. The  
Handle System is being used to create DOIs by major publishers (IEEE,  
etc.) and, among others, is also used in information management  
projects in military (ADL-R).

Giridhar


On Jun 11, 2009, at 7:23 PM, Robert P Ricci wrote:

> Right, I think the decision that a GID decouples authentication and
> authorization is pretty clear. The other big decision point is whether
> they should couple authorization and identity. As written in the SFA  
> and
> other places, they conflate the two by using a public key as part of  
> the
> identity. We're going down a route that separates the two.



_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg