« Return to Thread: What are GIDs good for?
What are GIDs good for?
by Max Ott-2
::
Rate this Message:
Folks,
We have been spending a lot of time recently working through
federation issues, looking at the design notes from other control
frameworks, standards, ... and getting more and more confused :)
While my primary confusion really centers on the slice manager - whose
exact role I understand less and less, we got specifically stuck on
the GID today and all the certificate chains attached to it. I read
the Ricci's and Leigh's notes on it, and Thierry and I tried to work
through the geniwrapper code.
Anyway, what do we want to achieve? We have resources, we users who
want to use them and we have control frameworks which stand in the
middle. Or maybe in a more generic way, we have entities which want to
perform actions on other entities and somebody needs to authorize that.
SAML very clearly differentiates between authorization and
authentication and I'm wondering if we make the same clean
separation. Maybe a different question would be, why aren't we using
standard solutions, such as SAML? I know they often big and cover a
lot of other stuff, but the basic concepts seem to be sound.
So what is wrong with using 'normal' identifiers and attach assertions
- what the object is allowed to do, who can do what with it, for how
long, ... Assertions themselves can be signed and can refer to other
assertions from which they get the authority to make the assertions
they make. Signatures are verified the standard way back to a well
known anchor (I know we already do that), and assertions provide the
chain along legal agreements, or to resource allocation policies or
'cost centers'.
This way, I can break the necessary information I need to make a
decision at various places into individual pieces; can link them by
URLs; or pack them all together into standard messaging formats such
as MIME/S or PGP (and the many existing toolkits)
I'm not a security expert and I may miss something obvious, but I have
a really hard time seeing how the current architecture will cleanly
accommodate a federated world with changing legal and policy
requirements.
Thanks,
-max
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
We have been spending a lot of time recently working through
federation issues, looking at the design notes from other control
frameworks, standards, ... and getting more and more confused :)
While my primary confusion really centers on the slice manager - whose
exact role I understand less and less, we got specifically stuck on
the GID today and all the certificate chains attached to it. I read
the Ricci's and Leigh's notes on it, and Thierry and I tried to work
through the geniwrapper code.
Anyway, what do we want to achieve? We have resources, we users who
want to use them and we have control frameworks which stand in the
middle. Or maybe in a more generic way, we have entities which want to
perform actions on other entities and somebody needs to authorize that.
SAML very clearly differentiates between authorization and
authentication and I'm wondering if we make the same clean
separation. Maybe a different question would be, why aren't we using
standard solutions, such as SAML? I know they often big and cover a
lot of other stuff, but the basic concepts seem to be sound.
So what is wrong with using 'normal' identifiers and attach assertions
- what the object is allowed to do, who can do what with it, for how
long, ... Assertions themselves can be signed and can refer to other
assertions from which they get the authority to make the assertions
they make. Signatures are verified the standard way back to a well
known anchor (I know we already do that), and assertions provide the
chain along legal agreements, or to resource allocation policies or
'cost centers'.
This way, I can break the necessary information I need to make a
decision at various places into individual pieces; can link them by
URLs; or pack them all together into standard messaging formats such
as MIME/S or PGP (and the many existing toolkits)
I'm not a security expert and I may miss something obvious, but I have
a really hard time seeing how the current architecture will cleanly
accommodate a federated world with changing legal and policy
requirements.
Thanks,
-max
_______________________________________________
control-wg mailing list
control-wg@...
http://lists.geni.net/mailman/listinfo/control-wg
« Return to Thread: What are GIDs good for?
| Free embeddable forum powered by Nabble | Forum Help |
