[29225] in Kerberos
Re: Kerberized authorization service
daemon@ATHENA.MIT.EDU (John Hascall)
Mon Feb 11 13:16:10 2008
To: kerberos@mit.edu
In-reply-to: Your message of Mon, 11 Feb 2008 09:58:00 -0800.
<87ejbjml3r.fsf@windlord.stanford.edu>
Date: Mon, 11 Feb 2008 12:11:26 CST
Message-ID: <9712.1202753486@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> writes:
> Stanford currently very much loses on this, in a wide variety of ways. We
> really only have one authorization system that copes correctly with role
> status changes (provided that it's used properly), and it only knows how
> to talk to the financial system and isn't (currently) usable as a general
> authorization solution. There is some active work in the Internet2 arena
> on this, but not to the point where I think people are deploying it.
The problem with the Internet2's work in this area
(i.e., Signet and Grouper) is that
they seem like they've never met a problem
that they didn't think the answer to it was:
while (problem) {
Throw the most complicated XML and Java possible at it.
}
(And they forgot to catch deathByBloatAndComplexityException)
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
