Changes between Version 7 and Version 8 of ClearinghousePanelSummary


Ignore:
Timestamp:
11/17/11 12:19:36 (12 years ago)
Author:
tmitchel@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ClearinghousePanelSummary

    v7 v8  
    1010
    1111= Clearinghouse Services =
    12 The Clearinghouse Services were divided into two categories: primary and secondary. These services were discussed next on the panel. There seemed to be no opposition to the primary functions of the clearinghouse: endorsing agreements, registering project leaders, and registering projects. As a quasi-legal entity, the clearinghouse would serve as a trust anchor to minimize the number of pairwise agreements between GENI actors. Through some mechanism of endorsement, the CH would attest to official GENI identity portals, identity providers, slice authorities and aggregate authorities. A decision about mechanism was not made but should be soon. Two basic approaches are available: a trusted directory service or PMI-like asynchronous solution (e.g., ABAC). There was strong opposition to anything that would insert the CH into every resource allocation process in a blocking way, and there was general consensus that ABAC could solve this more elegantly. The big question that would remain is how to handle revocation then. Preferably short term credentials would be used with a trusted proxy renewal service, such as, MyProxy.
     12The Clearinghouse Services were divided into two categories: primary and secondary. These services were discussed next on the panel. There seemed to be no opposition to the primary functions of the clearinghouse: endorsing agreements, registering project leaders, and registering projects. As a quasi-legal entity, the clearinghouse would serve as a trust anchor to minimize the number of pairwise agreements between GENI actors. Through some mechanism of endorsement, the CH would attest to official GENI identity portals, identity providers, slice authorities and aggregate authorities. A decision about mechanism was not made but should be soon. Two basic approaches are available: a trusted directory service or PMI-like asynchronous solution (e.g., ABAC). There was strong opposition to anything that would insert the CH into every resource allocation process in a blocking way, and there was general consensus that ABAC could solve this more elegantly. The big question that would remain is how to handle revocation then. Preferably short term credentials would be used with a trusted proxy renewal service, such as, !MyProxy.
    1313
    1414Another big decision that needs to be made is regarding who can bind projects to slices. It is at this step that it is verified that all the actors involved (e.g., slice owner, slice authority, identity portal of the slice authority) are all GENI endorsed actors because this is when a slice becomes a true CH-endorsed GENI slice. However, if implemented in ABAC, a slice authority (SA) could check all of these things as well as check that the slice owner has the rights to bind slices to to a given project registered at the CH. If it is implemented this way, there would have to be some agreement with SAs that they would perform these same checks as well as answer questions from the CH or GMOC regarding the project a given slice is associated with. This decision should be made soon so proper agreements and processes can be drafted.