DelegationService < IVOA

---+ Delegation service

The delegation service is a way to get credentials into another service such that the latter service can act on a user's behalf. We've planned to have a delegation service since the start of the SSO activity.

The problem is this: given a client that holds a certificate and private key for a user, the client can authenticate to a service in the user's name but that service cannot immediately authenticate as the user to a subordinate service. Therefore, for example, a secured DAL service cannot deliver results to a secured VOSpace without some help.

To fix this, the client has to _delegate credentials_ to the first service. That means that the client has to sign a proxy certificate matching some private key that the service holds. This mechanism needs to be standardized. It's easiest to frame that standard in terms of a _delegation service_ that runs alongside the service needing the delegated credentials.

In outline, the delegation service generates a key-pair, passes the public key back to the client as a certificate-signing request and accepts the signed certificate from the client. It then makes the certificate and private key available to other, local services via a secure back-channel.

This form of _delegation by impersonation_ is standard in Grid computing.


---++ Details of the delegation service

   * InitialProposalForRESTfulDelegationService


-- IVOA.GuyRixon - 05 Mar 2007 

<!--
      * Set ALLOWTOPICRENAME = IVOA.TWikiAdminGroup
-->
This topic: IVOA > WebHome > IvoaGridAndWebServices > DelegationService
Topic revision: r1 - 2007-03-05 - GuyRixon