IETF Logo Mail Archive

Re: [ogpx] Seed capability behavior

Hogmanay Milestone <hogmanay.milestone@yahoo.com> Thu, 21 January 2010 01:30 UTC

Return-Path: <hogmanay.milestone@yahoo.com>
X-Original-To: ogpx@core3.amsl.com
Delivered-To: ogpx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6ADB13A6859 for <ogpx@core3.amsl.com>; Wed, 20 Jan 2010 17:30:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[AWL=0.999, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNHExhdVyY13 for <ogpx@core3.amsl.com>; Wed, 20 Jan 2010 17:30:18 -0800 (PST)
Received: from n7b.bullet.mail.ac4.yahoo.com (n7b.bullet.mail.ac4.yahoo.com [76.13.13.77]) by core3.amsl.com (Postfix) with SMTP id 497563A67E1 for <ogpx@ietf.org>; Wed, 20 Jan 2010 17:30:18 -0800 (PST)
Received: from [76.13.13.25] by n7.bullet.mail.ac4.yahoo.com with NNFMP; 21 Jan 2010 01:30:12 -0000
Received: from [67.195.9.82] by t4.bullet.mail.ac4.yahoo.com with NNFMP; 21 Jan 2010 01:30:12 -0000
Received: from [67.195.9.99] by t2.bullet.mail.gq1.yahoo.com with NNFMP; 21 Jan 2010 01:30:12 -0000
Received: from [127.0.0.1] by omp103.mail.gq1.yahoo.com with NNFMP; 21 Jan 2010 01:30:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 220891.77183.bm@omp103.mail.gq1.yahoo.com
Received: (qmail 6907 invoked by uid 60001); 21 Jan 2010 01:30:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1264037412; bh=TKpr0Rp/K1A3690femdY+mFUHdIM4g8u77P8WkzzX1M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=0j+oWBJyUWx8kbnOumVikKja0q+EfEJS3/4mwyHYRmKkopPZp5UFQBsSzbjOttcIAjxH/UoOXsqYsjzxUh3p80oVwoWAqpGUz3E+hOJ3GmJDTNpsRO3GKhbTRpLhujg54kTOXtO+X+KN1d1t9CT6PQTM6HAyj+xw9ngydmcO/aw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=xofR5gEQdSIz/hFvPZVz6kyMXv4wjwUEafTHOEZ3FEpbVAtdmQQYxS3tHzlvz8vwQwuwx/vSdMhwJm6KnptjEctZRqwa+GGtve2++3qr6BFZjgdRR492ELgqcCEbVBHxRzLwbch4cvz9PNNvywaJWsqlVVqs8MlLQpHO9z1fgTw=;
Message-ID: <5441.5079.qm@web112808.mail.gq1.yahoo.com>
X-YMail-OSG: 09mVhnEVM1nywcHrYEiGc9rKm_It2RW8A06mAu3Dru74yG15xoJW8Gfi2.pR8hBebWw4Fl0ygSaxQtt9vTEaQdncqB2T6eg1nx6p1f4cbLU0U7k7t6xQ3BiCXNCgeOeAOFEkp4xEHeXb3veVbl.ADgLpVToM1HToRdRQTxoFcVKBmLKRYac_GLxeJGtv0ryQYDgExGUyixaVfzYwH8W58JKC7o1N4Hk8.8xnMq4b4JBVaeK0rgaGsFfHK23OLFwM8BuqR5Qr7CXO5n8N3iVvN8ZE8365Lf9IRkk0tAVi8J0BltFWzNsk_S5K2bsfPHfi6MXjcnPh62B2j1M3rgpuPvdmhwzNOkI-
Received: from [64.154.223.249] by web112808.mail.gq1.yahoo.com via HTTP; Wed, 20 Jan 2010 17:30:11 PST
X-Mailer: YahooMailRC/272.7 YahooMailWebService/0.8.100.260964
References: <62BFE5680C037E4DA0B0A08946C0933DC4B2DCF9@rrsmsx506.amr.corp.intel.com> <606825.66007.qm@web112815.mail.gq1.yahoo.com> <5cca23bc1001201657u1f59c7aco8369580e125cad87@mail.gmail.com> <567455.42162.qm@web112804.mail.gq1.yahoo.com> <5cca23bc1001201658w43771114t8448d4514f4b4500@mail.gmail.com> <897336.43092.qm@web112804.mail.gq1.yahoo.com> <5cca23bc1001201700n19c5e795w881f7d178f2bc6fd@mail.gmail.com> <371867.46881.qm@web112814.mail.gq1.yahoo.com> <5cca23bc1001201701u71485f63w482d362c0103f28f@mail.gmail.com> <29724.46300.qm@web112804.mail.gq1.yahoo.com> <3a880e2c1001201716x4fd2ef85wee79d02a66fd2c0a@mail.gmail.com>
Date: Wed, 20 Jan 2010 17:30:11 -0800
From: Hogmanay Milestone <hogmanay.milestone@yahoo.com>
To: "Infinity Linden (Meadhbh Hamrick)" <infinity@lindenlab.com>
In-Reply-To: <3a880e2c1001201716x4fd2ef85wee79d02a66fd2c0a@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: ogpx-bounces@ietf.org, "ogpx@ietf.org" <ogpx@ietf.org>
Subject: Re: [ogpx] Seed capability behavior
X-BeenThere: ogpx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual Worlds and the Open Grid Protocol <ogpx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ogpx>
List-Post: <mailto:ogpx@ietf.org>
List-Help: <mailto:ogpx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 01:30:19 -0000

yes. you don't want the proxy to retain the right (either by error or by malice) to request subordinate service caps from the agent domain or the sensitive service on the intranet.

if you assume that the client's enterprise has a trust relationship with the agent domain, the question of "who do you get the seed cap from" can go either way.

in one case, the client may authenticate to an "agent domain" managed by their enterprise using the password from their enterprise SSO solution. the "enterprise agent domain" may then contact a public agent domain through a different channel and retrieve a seed cap from the public agent domain. it (the enterprise agent domain) could then pass this seed cap on to the client.

or it could go the other way...

maybe you want the enterprise to be able to "bless" a user account defined in a public agent domain (like second life.) in this case, the client would authenticate to the public agent domain first. the public agent domain would then use some other technique to request a service caps from the enterprise agent domain, and would then pass them along to the client.

this would be a good use case if the enterprise wanted to grant privilege to existing accounts on a public agent domain instead of assuming the cost of provisioning a user account in their own domain.



----- Original Message ----
From: Infinity Linden (Meadhbh Hamrick) <infinity@lindenlab.com>
To: Hogmanay Milestone <hogmanay.milestone@yahoo.com>
Cc: Arrogant Cyberstar <arrogant.cyberstar@gmail.com>; David W Levine <dwl@us.ibm.com>; ogpx-bounces@ietf.org; "ogpx@ietf.org" <ogpx@ietf.org>
Sent: Wed, January 20, 2010 5:16:55 PM
Subject: Re: [ogpx] Seed capability behavior

On Wed, Jan 20, 2010 at 17:03, Hogmanay Milestone
<hogmanay.milestone@yahoo.com> wrote:
>>
>>but why would you need a proxy anyway?
>
>
> because the services requested by the proxy may be on the inside of a firewall while the client is on the outside. if the proxy was in the DMZ, you could use traditional network security tools to ensure that service requests only come from a proxy that you trust.
>

so if i understand you correctly, you want the client out there on the
internet to authenticate to an agent domain, get a seed capability
from the agent domain and then pass that seed capability to a proxy in
the DMZ of some organization (say, like the client's employer.)

the proxy would then use that seed cap to request service caps from...
someone? the agent domain? or a server in the client's employer's
intranet (that the proxy can access because it's in the DMZ?)

it's unclear where you're requesting the service caps from.

but i think i understand why you want the seed cap to be a one-shot.
if it wasn't a one-shot, the proxy _could_ retain the ability to
request service caps on the client's behalf.

v2.23.0 | Report a Bug | By Email