[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence
Tom Barton
tbarton at uchicago.edu
Sun Feb 18 15:58:28 CST 2007
I've only just now had opportunity to read this thread and its companion
"Use Cases", and thought I'd try to help by observing what seem to me
are different understandings some of us exhibit towards the same term or
phrase. Specifically "grid community". At some times it appears to be
understood as "a particular community using grid technologies to work
towards a common purpose". Stephen Langella's example of Dorian's role
with respect to the cancer bioinformatics grid is an example, as are any
particular manifestations of David Chadwick's generic use cases #1 and
#2. At other times "grid community" appears to be understood as
referring to the technologies assumed to be in use, ie, not scoped by a
common purpose undertaken by a specific community.
David's right, of course, about naming authorities and hierarchical
naming. And Tom Scavo is right that some organizations that operate IdPs
are concerned with collusion among SPs as an avenue for privacy attack.
Their two views are reconciled if the design includes a way to specify
which namespace is operative in a given use case in which a globally
unique name is required. The globally unique name of a person in use by
the medical community in use case #1 need not be the same as the
globally unique name for that person in use by the financial community
in use case #2.
What's needed in the design is a namespace identifier to be supplied to
allied IdPs so that they can provide globally unique names within
particular namespaces. If the use case permits an IdP to be the naming
authority for a person, the IdP manufactures globally unique
"namespace-targeted" names determined by (globally unique IdP id,
locally unique principal, globally unique namespace id).
If that is done I think that David's suggestion to Von about CA
operational policy does not run afoul of the tight coupling that Von
worried about, because the CA would merely propagate the globally unique
name assigned the principal by her IdP.
Tom
More information about the ogsa-authn-bof
mailing list