Re: Access control use-cases

From: Roy Williams <roy-at-cacr.caltech.edu>
Date: Tue, 11 Jul 2006 12:57:11 -0700


Norman

A group of us in NVO have been pushing the idea of "graduated security". When a protected service is requested, the more strongly authenticated person gets more resource than the weakly authenticated. Weakest authentication is of course nothing (anonymous), and you may get a crumb. If you have filled in a web form and proved that you have a valid email, you are "weakly authenticated", and you get more.

The Nesssi system is predicated on graduated security: the certificate and the request are considered *together* to decide whether to devote resources to the request. This is a contrast to traditional systems, where you must prove who you are first in a rigorous way before getting anything at all.

We are adding the idea of a "Dataset Visa", meaning that your certificate allows access to private data. Nesssi imaging services are available to anyone for public surveys, but reject those without the proper visa if you try to use the service on private data.

Roy

References 

http://www.us-vo.org/nesssi/
http://www.us-vo.org/nesssi/soc.html
http://www.us-vo.org/pubs/files/hotgrid.pdf

On Jul 7, 2006, at 10:46 AM, Norman Gray wrote:

>
> Greetings,
>
> I'm going to be doing some work on access control and
> authorisation, initially within the AstroGrid context, but it would
> I hope be applicable more broadly. I'm gathering use-cases, and
> have a few collected at <http://wiki.eurovotech.org/twiki/bin/view/
> VOTech/AccessControlUseCases>. Some of these were extracted from
> this list's archives. If I've missed your favourite one, please do
> shout. Or if I've missed your least-favourite, most headache-
> inducing, one.
>
> I was talking recently to some folk who are working on policy
> management (partly, though not exclusively, in the context of the
> semantic web). They seemed rather dismayed at how simple most use-
> cases were, since they were aiming at a pretty powerful system.
>
> So let rip. The ones I've got so far are probably fairly easily
> manageable (in terms of the logic and delegation involved, rather
> than necessarily their implementation in a live system).
>
> Thanks!
>
> Norman
>
>
> --
> ----------------------------------------------------------------------
> ------
> Norman Gray / http://nxg.me.uk
> eurovotech.org / University of Leicester, UK
>
>
>

California Institute of Technology
626 395 3670 Received on 2006-07-11Z21:59:45