David Chadwick writes:
I think this document is fundamentally flawed. This is either because it reflects the grid security infrastructure which is fundamentally flawed, or the document does not and therefore is in error. I refer to the sentence:
As many grid authentication and authorization decisions based on X.509 credentials currently only use the subject distinguished name for decision making
This is in effect saying that the CA is the SOA and there is no difference between authn and authz. Authn and Authz operate at the same
Is there anything more to this than a different interpretation of "only use ... for decision making" here? My understanding of current grid practice (based on a mixture of hearsay, imagination, dreaming, rumor, and paranoia) is that X.509 subject names, and subject names only, are used as a primary key to lists/collections of attributes that authorization services keep. Some of these cases are pretty simple and some are complex databases. There are a few cases where these certs are also used directly for an authorization decision - all the ones I know of are on the boundaries between grid and non-grid services, or outside of grids altogether.