This page contains notes building towards a formal document regarding the role of Shibboleth with grids. It necessarily challenges some basic assumptions of the way that authentication and authorisation are currently managed in grids.
This work forms the bulk of the eSP-grid workpackage five (Shibboleth Evaluation).
Assumptions
Grids must scale
Anchor(identitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.
How does PKI live up to these assumptions?
Grids must scale
Anchor(PKIidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.
How can Shibboleth play a role?
Grids must scale
Anchor(SHIBidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by "home organisations"
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.