|
⇤ ← Revision 1 as of 2005-09-02 09:10:45
Size: 1190
Comment:
|
Size: 3562
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| [[Anchor(mustscale)]] | |
| Line 9: | Line 10: |
| [[Anchor(identitymanscalability)]] | |
| Line 11: | Line 13: |
| [[Anchor(identhomeorg)]] | |
| Line 14: | Line 17: |
| [[Anchor(attributemanscale)]] | |
| Line 16: | Line 20: |
| [[Anchor(trustminimum)]] | |
| Line 19: | Line 24: |
| [[Anchor(securityieinadeq)]] | |
| Line 21: | Line 27: |
[[Anchor(PKIvsassumpts)]] = How does PKI live up to these assumptions? = [[Anchor(PKImustscale)]] == Grids must scale == [[Anchor(PKIidentitymanscalability)]] == Identity management is a scalability bottleneck == [[Anchor(PKIidenthomeorg)]] === Identity is best managed by "home organisations" === But need not be - identity is easier to manage than role etc. [[Anchor(PKIattributemanscale)]] == Attribute management is a scalability bottleneck == [[Anchor(PKItrustminimum)]] == Trust must be kept to a minimum on grids == Yes, general principle is true. However, as a resource owner it may not be ''possible'' to manage more than n users and therefore you ''have'' to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource. [[Anchor(PKIsecurityieinadeq)]] == Security levels in the information environment are inadequate == Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better. = How can Shibboleth play a role? = [[Anchor(SHIBmustscale)]] == Grids must scale == [[Anchor(SHIBidentitymanscalability)]] == Identity management is a scalability bottleneck == [[Anchor(SHIBidenthomeorg)]] === Identity is best managed by "home organisations" === But need not be - identity is easier to manage than role etc. [[Anchor(SHIBattributemanscale)]] == Attribute management is a scalability bottleneck == [[Anchor(SHIBtrustminimum)]] == Trust must be kept to a minimum on grids == Yes, general principle is true. However, as a resource owner it may not be ''possible'' to manage more than n users and therefore you ''have'' to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource. [[Anchor(SHIBsecurityieinadeq)]] == Security levels in the information environment are inadequate == Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better. |
This page contains notes building towards a formal document regarding the role of Shibboleth with grids. It necessarily challenges some basic assumptions of the way that authentication and authorisation are currently managed in grids.
This work forms the bulk of the eSP-grid workpackage five (Shibboleth Evaluation).
Assumptions
Grids must scale
Anchor(identitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.
How does PKI live up to these assumptions?
Grids must scale
Anchor(PKIidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.
How can Shibboleth play a role?
Grids must scale
Anchor(SHIBidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.