12 | | The Clearinghouse Services were divided into two categories: primary and secondary. These services were discussed next on the panel. There seemed to be no opposition to the primary functions of the clearinghouse: endorsing agreements, registering project leaders, and registering projects. As a quasi-legal entity, the clearinghouse would serve as a trust anchor to minimize the number of pairwise agreements between GENI actors. Through some mechanism of endorsement, the CH would attest to official GENI identity portals, identity providers, slice authorities and aggregate authorities. A decision about mechanism was not made but should be soon. Two basic approaches are available: a trusted directory service or PMI-like asynchronous solution (e.g., ABAC). There was strong opposition to anything that would insert the CH into every resource allocation process in a blocking way, and there was general consensus that ABAC could solve this more elegantly. The big question that would remain is how to handle revocation then. Preferably short term credentials would be used with a trusted proxy renewal service, such as, MyProxy. |
| 12 | The Clearinghouse Services were divided into two categories: primary and secondary. These services were discussed next on the panel. There seemed to be no opposition to the primary functions of the clearinghouse: endorsing agreements, registering project leaders, and registering projects. As a quasi-legal entity, the clearinghouse would serve as a trust anchor to minimize the number of pairwise agreements between GENI actors. Through some mechanism of endorsement, the CH would attest to official GENI identity portals, identity providers, slice authorities and aggregate authorities. A decision about mechanism was not made but should be soon. Two basic approaches are available: a trusted directory service or PMI-like asynchronous solution (e.g., ABAC). There was strong opposition to anything that would insert the CH into every resource allocation process in a blocking way, and there was general consensus that ABAC could solve this more elegantly. The big question that would remain is how to handle revocation then. Preferably short term credentials would be used with a trusted proxy renewal service, such as, !MyProxy. |