...
The Internet2 Community Architecture Committee for Trust & Identity (CACTI)
Number | Current Text | Proposed Text / Query / Suggestion | Proposer | +1 (add your name here if you agree with the proposal) | Action (please leave this column blank) |
|---|---|---|---|---|---|
| 1 | Students, faculty and staff often have very large numbers of groups and roles which need to be used for inter-institutional and intra-institutional authorization. These group memberships rely heavily on real-time revocation for security purposes, and the sheer number of groups often presents challenges to authorization at-scale, aka the “Kerberos PAC field problem” | In addition to concern re revocability of group memberships, membership in some groups should be confidential, eg, a group conferring management access to sensitive operational technology. Is there a form of audience restriction built-in to a credential and its verification process so that users are not solely responsible for maintaining this confidentiality? Similarly, an issuer may want to constrain where a user may show a credential it is the source of authority for. Both of these concerns arise in research cyberinfrastructure environments, and in neither case is the user an appropriate locus of policy enforcement. | Tom Barton | ||
See Also