Coda File System

Re: global identities name space?

From: Ivan Popov <pin_at_medic.chalmers.se>
Date: Tue, 20 Jan 2004 08:03:54 -0500
Hello Stephen,

>     Ivan> I'd like to give, say, a login process at site A an identity
>     Ivan> name ensured by site B, so that the login program would
>     Ivan> painlessly and securely verify my proof via B -
>
> I don't really understand the application, though.  A passport, as you
> say, is purely authentication, and doesn't provide authorization for
> real services.  It just allows "the authorities" to track the behavior
> of a particular identity.  I can understand why "the authorities"
> would want this, but from the point of view of a service user, what is
> the benefit of this?

it is a need and benefit of a service provider!

You still manage authorization (of course)
but can use existing authentication services transparently,
for any service being offered to the end-user.

The end user benefits indirectly as she needs less identities to care about.

> I don't see
> why this requires a global namespace uniquely identifying users.

If you do not have such namespace, you cannot use authentication services
globally.

> We already have Kerberos and SSH which have some of these features;

Which features do you mean they have?

Let's see. SSH is not an authentication service,
it provides a remote login service and a remote file access service.

Have you any way to let your sshd securely use Chalmers DCE account
database? Any other database you do not have administrative control over?

No, you'd need to get an account for your host, and you won't.

How would you distinguish between "pin:....." entry in you local passwd file
if it happened to be present there, and my "pin" account at Chalmers?

> what new applications would be enabled by (eg) allowing TGTs from
> multiple Kerberos realms at a given host?

Kerberos realm names are not unique in the world.
It is the service _client_ configuration which points to the right KDC,
outside of the control of the service provider as soon as the concerned
service is a distributed one.

Then, to use it securely you need a service/host account in each Kerberos
realm you want to authenticate against... it probably would hinder
Kerberos realm adminitrators from offering authentication services
in large scale... :)

Best regards,
--
Ivan
Received on 2004-01-20 11:33:48