On Wed, 12 Oct 2005, Tim Chown wrote:
> If the site joins the UKERNA LIN, it can use whatever local backend it
> likes - in this case the Bluesocket device would communicate to a local
> RADIUS server (for local users) or via the national RADIUS proxy to the
> server in the visiting user's home institution.
What your talk yesterday in Edinburgh (for which many thanks, BTW) seemed
to confirm to me is that the current LIN approach seems to be limited to
using passwords and to require users to disclose their password on request
to LIN infrastructure at a site that they are visiting and then to have it
bounced across the country via a network of RADIUS proxies. I'm concerned
that users will not be able to correctly judge when they should and should
not divulge this password (making it vulnerable to theft) nor be able to
evaluate the safety of the forwarding mechanism (though in practise I'd
expect this to be safe). As a result I'm concerned that LIN-based
authentication will be extremely week.
Web-redirect systems, and Shibboleth when using such for the local
authentication, have the advantage that a user should only need to divulge
their password, or other credentials, to a web site run by their home
institution with which they are probably already familiar. It seems to me
that this should result in somewhat stronger authentication.
> It's likely the LIN will push early for 802.1x deployment rather than
> web-redirect.
I don't yet know enough about 802.1x, but I think I'm about to have to
learn...
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|