Hi Mike there is more to it than what you propose, and this is the second point I make ie. whether 2 different users can be given the same DN or not by different CAs (we assume that the same CA will be competent enough to not do that). If the answer is yes, then your whole infrastructure is broken. If the answer is no, then the sentence below should be changed if, as you point out, there is much more to decision making than the DN on its own, such as lists and attributes that are used by authz services. regards David Mike Helm wrote:
David Chadwick writes:
I think this document is fundamentally flawed. This is either because it reflects the grid security infrastructure which is fundamentally flawed, or the document does not and therefore is in error. I refer to the sentence:
As many grid authentication and authorization decisions based on X.509 credentials currently only use the subject distinguished name for decision making
This is in effect saying that the CA is the SOA and there is no difference between authn and authz. Authn and Authz operate at the same
Is there anything more to this than a different interpretation of "only use ... for decision making" here?
My understanding of current grid practice (based on a mixture of hearsay, imagination, dreaming, rumor, and paranoia) is that X.509 subject names, and subject names only, are used as a primary key to lists/collections of attributes that authorization services keep. Some of these cases are pretty simple and some are complex databases. There are a few cases where these certs are also used directly for an authorization decision - all the ones I know of are on the boundaries between grid and non-grid services, or outside of grids altogether.
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************