>> Another implication (and potential challenge) of the alternative
>> approach is that the AM has to maintain the state of credentials.
>
> I don't think so. In my (perhaps simple) understanding, the
> **clearinghouse** maintains state of the credentials.
So, in order to delegate a credential to my grad student, I have to
ask the CH to do it?
Our approach is to let the researcher delegate credentials themselves,
by signing it over, perhaps with priv changes. The beauty of PKI ...
>> This appears to be a more stateful approach compared with the
>> orignial
>> one, and this may also have implications for the allowable time
>> interval between a research getting his resource-access-credential
>> and
>> actually using the resource.
>
> Again, I don't think so. As soon as the researcher gains access to
> the clearinghouse (an 'account'), the CH can validate him.
Seems like the CH is now in the critical path to doing anything! :-)
Lbs
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
