 |
 |
So to add to my diatribe, Authorization is only effective when done in context. Minimally, that means the client coming in has to prove some identity to make the authorization information meaningful. The authorization layer, to be effective,, assumes that has happened. So, presented with credentials "x" were they presented in the context of person 'y' holding those credentials? At the most conservative outlook I want to know that you have been issued those credentials. At the very least I want to know that you are possibly a person that could have those credentials (stolen or not). None of the current LHC JWT schemes provide any assurance of that. So, in the end it's just feel-good security. I might as well make everything publicly accessible because there is no way of verifying the JWT other than it's syntactically valid, There is no context. That is what I am agitated about because it makes me damn mad that we are going in that direction. This is not security; it's a facade that makes every one think there is security. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1236#issuecomment-652942815 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1