GENI.net
 » 
GENI Control Framework WG

 « Return to Thread: What are GIDs good for?

Re: What are GIDs good for?

by Max Ott-2 :: Rate this Message:

Reply to Author | View in Thread


On 12/06/2009, at 2:15 PM, Giridhar Manepalli wrote:
> We extend ProtoGENI's notion (of separating identity and
> authentication/authorization) in all of our projects by separating the
> identity (of entities) from any of the varying and contextual
> attributes/processes. Identifiers, then, are generally opaque and non-
> semantic, and may be used to identify any entity/resource
> (individuals, documents, processes, etc.).

'non-semantic' - I like that. Do you have a more detailed write-up  
available somewhere?

> However, we associate
> related attributes (such as public key, credential set, associated
> policy, personal preferences, associated URL for the entity), aka
> record, by registering those identifiers and corresponding (mutable)
> records in a system.

Does that provide anything beyond storage and retrieval?

Wouldn't we also ned to capture who added those attributes, or more  
precisely who claims that an identity has a certain attribute. The old  
'Max broke the window - says who?'


>
For example, if public
keys are used as identifiers for users, what if the private way of a
> particular user was compromised? Wouldn't the identifier (public key)
> for the user change when a new pair of keys are generated, and, if so,
> how would this translate into trust and other aspects?

Exactly. And remember, a certificate is really just an assertion that  
someone claims that this is the public key for a certain entity.


> In any case, I
> think, this issue needs to be addressed at this stage to be able to
> perform federations, for example, as Max Ott hinted.

I very much think so. Right now, we all pretty much work in our own  
universe and things already work for the use cases we support. But  
things get hairy pretty quickly when some of them collide, especially  
when lawyers are involved or different usage policies need to be  
accommodated. I'm not suggesting that we need to fully define how we  
deal with this, but the architecture at least should give us a clear  
idea where we would need to deal with that 'mess' and how to pass  
relevant information around. Another reason to have a closer look at  
related standards and concepts, such as PEP, PDP, ... We all have them  
implicit somewhere anyway and I'm sure we all have a few ugly hacks to  
deal with 'special cases'.

-max

_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg

 « Return to Thread: What are GIDs good for?

Free embeddable forum powered by Nabble Forum Help