Re: What are GIDs good for?

On 12/06/2009, at 9:23 AM, Robert P Ricci wrote:
> Right, I think the decision that a GID decouples authentication and
> authorization is pretty clear.

Unfortunately thats is not so clear to me.

In http://www.protogeni.net/trac/protogeni/wiki/AuthImpl it says:

... each of the principle objects in Protogeni has a unique UUID and  
thus a certificate (GID) associated with it. In most cases these  
certificates are used for identity purposes, not authentication (as in  
an SSL session).

So what does it buy me to have some ID which has been issued by someone?

Later it says: ... When Joe asks his Slice Authority to create this  
new slice, a new credential is formed that includes, among other items:
Joe's GID (UUID, HRN, email)
MySlice's GID (UUID, HRN, email)
A list of tokens
A digital signature (I assume that the digital signature is that of  
the Slice Authority)

Now that makes sense to me. Someone (the Slice Authority) asserts that  
Joe can perform some action (tokens) on MySlice. Now if Joe request a  
service S to perform an action on the slice, S can now check if the  
requester is the Joe in the assertion, the action is authorized and it  
accepts the authority of the signer of the assertion. (To be a  
stickler, I would have expected the (G)ID of the Slice Authority as  
part of that assertion, with the signature for authentication)

Now I can potentially chain things by adding an additional assertion  
which transfers the right to use MySlice to Alice. Obviously this  
needs to be signed by Joe and the first assertion may need to include  
permission to do that (delegation).

But again, what do I need beyond a handle? The only thing I can think  
of is a reference to a handle's credentials (public key) if it is  
signing something (that's why I was asking about who signed the above).

-max



_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg