Re: [security-services] suggested HoK URIs and namespace prefixes

["Tom Scavo" <trscavo@gmail.com>]

On Wed, Aug 20, 2008 at 11:14 AM, Scott Cantor <cantor.2@osu.edu> wrote:
>
>> Are you referring to the delegation issue that Eve raised earlier?
>
> Yes, exactly. In most deployments, the number of servers with keys greatly
> outnumbers the number of users with keys (which is usually close to zero).

Not in grid deployments, no, that is far from true.

> The most common use case for a HoK assertion is a server accessing something
> as the user.

So at least now I think I understand where some of your comments are
coming from.  Comments such as: why couldn't a server bind a key to an
assertion where the key was obtained previously, out of band?  I made
some assumptions about this use case and suggested a patch to the
profile to accommodate it (i.e., a timestamp), but at least one person
(Conor) had a problem with that scenario.  So I'm not sure what to do
about it.

> Obviously there are flows in which the user could still do the requesting,
> but that isn't always the case.

Well, then I think the onus is on you to clarify these other use cases
so that we can take them into consideration.  The dialogue thus far
suggests this might be a useful exercise.

Tom