« Return to Thread: What are GIDs good for?
Re: What are GIDs good for?
by Robert P Ricci
::
Rate this Message:
Thus spake Max Ott on Fri, Jun 12, 2009 at 08:55:13PM +1000:
> On 12/06/2009, at 2:15 PM, Giridhar Manepalli wrote:
> > We extend ProtoGENI's notion (of separating identity and
> > authentication/authorization) in all of our projects by separating the
> > identity (of entities) from any of the varying and contextual
> > attributes/processes. Identifiers, then, are generally opaque and non-
> > semantic, and may be used to identify any entity/resource
> > (individuals, documents, processes, etc.).
>
> 'non-semantic' - I like that. Do you have a more detailed write-up
> available somewhere?
Here's an interesting point - one of the properties that appeals to us
about the URNs proposed by the GMOC is that they have a little bit of
semantic information in them - the URN contains the identifier of the
authority that issued the URN. This way, when I get an authentication
certificate that says "URN A is associated with public key X", I can
check to see if the issuer of the certificate is the same entity that
issued URN A. This way, buggy, malicious, or subverted authorities
cannot issue authentication certificates for others' users, components,
etc.
(This can be chained - eg. an authority can create a sub-authority, and
that sub-authority's identifier includes its "parent"'s identifier. URNs
share this property with the domain-name looking HRNs that have showed
up in some places like the SFA doc.)
--
/-----------------------------------------------------------
| Robert P Ricci <ricci@...> | <ricci@...>
| Research Associate, University of Utah Flux Group
| www.flux.utah.edu | www.emulab.net
\-----------------------------------------------------------
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
> On 12/06/2009, at 2:15 PM, Giridhar Manepalli wrote:
> > We extend ProtoGENI's notion (of separating identity and
> > authentication/authorization) in all of our projects by separating the
> > identity (of entities) from any of the varying and contextual
> > attributes/processes. Identifiers, then, are generally opaque and non-
> > semantic, and may be used to identify any entity/resource
> > (individuals, documents, processes, etc.).
>
> 'non-semantic' - I like that. Do you have a more detailed write-up
> available somewhere?
Here's an interesting point - one of the properties that appeals to us
about the URNs proposed by the GMOC is that they have a little bit of
semantic information in them - the URN contains the identifier of the
authority that issued the URN. This way, when I get an authentication
certificate that says "URN A is associated with public key X", I can
check to see if the issuer of the certificate is the same entity that
issued URN A. This way, buggy, malicious, or subverted authorities
cannot issue authentication certificates for others' users, components,
etc.
(This can be chained - eg. an authority can create a sub-authority, and
that sub-authority's identifier includes its "parent"'s identifier. URNs
share this property with the domain-name looking HRNs that have showed
up in some places like the SFA doc.)
--
/-----------------------------------------------------------
| Robert P Ricci <ricci@...> | <ricci@...>
| Research Associate, University of Utah Flux Group
| www.flux.utah.edu | www.emulab.net
\-----------------------------------------------------------
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
« Return to Thread: What are GIDs good for?
| Free embeddable forum powered by Nabble | Forum Help |
