[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ggf-ogsa-sec-wg] inter-domain requirements

To: mulmo@pdc.kth.se
Subject: Re: [ggf-ogsa-sec-wg] inter-domain requirements
From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Sun, 13 Oct 2002 09:05:44 +0200
Cc: ogsa-sec-wg@gridforum.org
Organization: IBM
References: <000d01c27143$39a509e0$89dded82@fiololle>
Sender: owner-ogsa-sec-wg@gridforum.org

Olle Mulmo wrote:
> 
> Brian,
> 
> There was some discussions of a "club membership" approach recently.
> In such discussions, the dynamic part of an intra-enterprise trust
> relationship is simple: aquire the membership token. Once you have
> that, more or less static M-to-N assertions fix the rest.
> 
> With M-to-N assertions I mean expressions like "any guy from XYZ tech
> support has access rights to any of the systems that we have bought
> from XYZ corporation."
> 
> The reason I'm pointing this out is that in it's current incarnation,
> SAML only deals with 1-to-N assertions, so we would probably need to
> tweak and bend things a bit in this scenario -- but it's doable.
> 
> Is the club membership model something you foresee, or are you heading
> for an entirely dynamic model?

I think this case needs to be covered (although I hadn't thought of it
in exactly the same terms). This can probably be achieved by some form
of identity mapping.

SAML of course is only a way of thinking about the needed abstraction.
I can well believe that WS-Security will propose an alternative abstraction.

  Brian

References:
- RE: [ggf-ogsa-sec-wg] inter-domain requirements
  - From: "Olle Mulmo" <mulmo@pdc.kth.se>

Prev by Date: RE: [ggf-ogsa-sec-wg] inter-domain requirements
Next by Date: RE: [ggf-ogsa-sec-wg] inter-domain requirements
Prev by thread: RE: [ggf-ogsa-sec-wg] inter-domain requirements
Next by thread: RE: [ggf-ogsa-sec-wg] inter-domain requirements
Index(es):
- Date
- Thread