« Return to Thread: What are GIDs good for?
Re: What are GIDs good for?
by Camilo Viecco
::
Rate this Message:
The URN proposal and details can be found at:
http://gmoc.grnoc.iu.edu/https/globalnoc/gmoc/file-bin/urn-proposal2.pdf
In short we noticed the problem of bundling of authentication and
identification
in the SFA documents and tried to figure out a way do separate these.
We prefer 'semantic' aware identifiers because otherwise we would require
to build a secure and highly-available resolver service in whose trust
properties
would be appropriate for all applications. (ie the trust chain should be
acceptable
by all participating entities).
Camilo
Robert P Ricci wrote:
> Thus spake Max Ott on Fri, Jun 12, 2009 at 08:55:13PM +1000:
>
>> On 12/06/2009, at 2:15 PM, Giridhar Manepalli wrote:
>>
>>> We extend ProtoGENI's notion (of separating identity and
>>> authentication/authorization) in all of our projects by separating the
>>> identity (of entities) from any of the varying and contextual
>>> attributes/processes. Identifiers, then, are generally opaque and non-
>>> semantic, and may be used to identify any entity/resource
>>> (individuals, documents, processes, etc.).
>>>
>> 'non-semantic' - I like that. Do you have a more detailed write-up
>> available somewhere?
>>
>
> Here's an interesting point - one of the properties that appeals to us
> about the URNs proposed by the GMOC is that they have a little bit of
> semantic information in them - the URN contains the identifier of the
> authority that issued the URN. This way, when I get an authentication
> certificate that says "URN A is associated with public key X", I can
> check to see if the issuer of the certificate is the same entity that
> issued URN A. This way, buggy, malicious, or subverted authorities
> cannot issue authentication certificates for others' users, components,
> etc.
>
> (This can be chained - eg. an authority can create a sub-authority, and
> that sub-authority's identifier includes its "parent"'s identifier. URNs
> share this property with the domain-name looking HRNs that have showed
> up in some places like the SFA doc.)
>
>
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
http://gmoc.grnoc.iu.edu/https/globalnoc/gmoc/file-bin/urn-proposal2.pdf
In short we noticed the problem of bundling of authentication and
identification
in the SFA documents and tried to figure out a way do separate these.
We prefer 'semantic' aware identifiers because otherwise we would require
to build a secure and highly-available resolver service in whose trust
properties
would be appropriate for all applications. (ie the trust chain should be
acceptable
by all participating entities).
Camilo
Robert P Ricci wrote:
> Thus spake Max Ott on Fri, Jun 12, 2009 at 08:55:13PM +1000:
>
>> On 12/06/2009, at 2:15 PM, Giridhar Manepalli wrote:
>>
>>> We extend ProtoGENI's notion (of separating identity and
>>> authentication/authorization) in all of our projects by separating the
>>> identity (of entities) from any of the varying and contextual
>>> attributes/processes. Identifiers, then, are generally opaque and non-
>>> semantic, and may be used to identify any entity/resource
>>> (individuals, documents, processes, etc.).
>>>
>> 'non-semantic' - I like that. Do you have a more detailed write-up
>> available somewhere?
>>
>
> Here's an interesting point - one of the properties that appeals to us
> about the URNs proposed by the GMOC is that they have a little bit of
> semantic information in them - the URN contains the identifier of the
> authority that issued the URN. This way, when I get an authentication
> certificate that says "URN A is associated with public key X", I can
> check to see if the issuer of the certificate is the same entity that
> issued URN A. This way, buggy, malicious, or subverted authorities
> cannot issue authentication certificates for others' users, components,
> etc.
>
> (This can be chained - eg. an authority can create a sub-authority, and
> that sub-authority's identifier includes its "parent"'s identifier. URNs
> share this property with the domain-name looking HRNs that have showed
> up in some places like the SFA doc.)
>
>
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
« Return to Thread: What are GIDs good for?
| Free embeddable forum powered by Nabble | Forum Help |
