identity enables authority
Sep. 2nd, 2010 10:56 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
astroaztecBig Faraway Observatory notes that travel to their site consumes many resources, so they allow remote operation of their facility over the internet. Remote site engineers and Big Faraway admins find recurring security concerns in the scheme used to authenticate remote users. Big Faraway admins have limited resources and are not prone to address the concerns. Remote site overseer wants to improve the security.
Big Faraway Observatory has an operable scheme for managing the identity of principal investigators, but no scheme for managing the identity of collaborators. I note that the overall structure of the problem is basically the same as blogger identities with friends lists; that is, there are principal investigators who are awarded telescope time, and they have teams of collaborators who may participate in (or even perform) the observations. I point out means by which authentication information could be automatically transferred to the principal investigators, but they would have to disseminate that authentication to delegated collaborators. Whereas some astronomers know what is meant by handling cryptographic authentication tokens, most do not.
I note one snip from the second paragraph of section 3 of the Internet Draft for OAuth 2.0 which has recently been required for Twitter clients:
Big Faraway Observatory has an operable scheme for managing the identity of principal investigators, but no scheme for managing the identity of collaborators. I note that the overall structure of the problem is basically the same as blogger identities with friends lists; that is, there are principal investigators who are awarded telescope time, and they have teams of collaborators who may participate in (or even perform) the observations. I point out means by which authentication information could be automatically transferred to the principal investigators, but they would have to disseminate that authentication to delegated collaborators. Whereas some astronomers know what is meant by handling cryptographic authentication tokens, most do not.
I note one snip from the second paragraph of section 3 of the Internet Draft for OAuth 2.0 which has recently been required for Twitter clients:
the authorization server MUST first verify the identity of the end-user.In order to solve the problem somebody is going to have to manage identities, and delegation of authority to other identities. It doesn't make sense for that to be done by anyone other than Big Faraway Observatory. I assert to Remote site overseer that we can't solve the problem.
