Hi Jon
On 22/04/2014 10:19, Jon Warbrick wrote:
> On Mon, 14 Apr 2014, David Chadwick wrote:
>
>> Semantics is something that an administrator might care about, if he
>> wants to intuitively understand who the user (or group) is that he is
>> giving access to when he sets the policy for the PDP. However, a mapping
>> function from a unique ID to a human meaningful string, under the
>> control of the administrator, can provide this. So the unique string
>> that Moonshot provides can be mapped by the application into a
>> meaningful string if this is required. The important thing is that
>> Moonshot provides the unique string.
>
> It's important that the unique string doesn't change unexpectedly over
> time, since that would require the mapping to be updated before the user
> (or group) could successfully authenticate. I understand (from a
> distance) that this is part of the objection to CUI.
>
> A further problem with identifying people by opaque string, especially
> if it can't be predicted in advance (as for Shib's ePTID), is that it
> complicates account provisioning since a potential user can't tell an
> administrator what their ID will be.
I agree. This is why we are developing an easy to use mechanism with
OpenStack. We have already published the design blueprint for this
(see https://wiki.openstack.org/wiki/Keystone/VOManagement if
interested) and have started the implementation. I gave a presentation
about this at the recent Internet 2 meeting in Denver, Co.
There are ways around this (require
> an initial authentication and subsequently upgrade the account,
> bootstrap the process with a single-use username/password, etc.) bu
> these seem to confuse many administrators/implementers. I believe this
> is hampering uptake of Shib where only ePTID is available.
Lets hope our proposed method proves less confusing to everyone.
(Basically the admin creates a group he wants users to be members of and
gives the group appropriate access rights. This is a bog standard part
of existing OpenStack. However in our implementation he also associates
a PIN or pw with the group and distributes this and the group name to
the users he wants to join the group. They then login to Openstack via
their ID, quote the group and PIN/pw, and they are added to it (either
automatically or pending admin approval).
>
> There are also issues around the semantics of unique ID's and privacy.
> Use cases involving privacy requirements may not be high on Moonshot's
> priority list at the moment, but they should not be accidentally ruled out.
I dont believe this is an issue since the unique ID the IDP provides can
be targeted and SP specific, therefore unlinkable
regards
David
>
> Jon.
>
|