Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Current Text
Proposed Text / Query / Suggestion
+1 (add your name here if you agree with the proposal)
Action (please leave this column blank)

Students, faculty and staff often have very large numbers of groups and roles which need to be used for inter-institutional and intra-institutional authorization. These group memberships rely heavily on real-time revocation for security purposes, and the sheer number of groups often presents challenges to authorization at-scale, aka the “Kerberos PAC field problem”

In addition to concern re revocability of group memberships, membership in some groups should be confidential, eg, a group conferring management access to sensitive operational technology. Is there a form of audience restriction built-in to a credential and its verification process so that users are not solely responsible for maintaining this confidentiality? Similarly, an issuer may want to constrain where a user may show a credential it is the source of authority for.

Both of these concerns arise in research cyberinfrastructure environments, and in neither case is the user an appropriate locus of policy enforcement.

Tom Barton
Added use cases #32 and #33 in Appendix A to cover these, thanks!

See Also