[gin-auth] Re: Create a VO for MultiGrid team ?

Dane Skow skow at mcs.anl.gov
Thu Mar 2 16:40:16 CST 2006 

(I'm going to duck out for a long weekend holiday in just a minute so  
let me make a comment then sign off until Monday.)

Until we get a first GIN VOMS service, we're stuck with dealing with  
individual DNs for each grid pairing.
I agree with you, that is very undesirable even in the short term.    
I think you're advocating to choose an arbitrary name which is  
unlikely to conflict (to avoid contributing to the problem) rather  
than try to quickly drive to consensus on a namespace schema. I'm  
fine with that if we recognize that for what it is. I just don't want  
to stall on the namespace issue (while agreeing it needs to be dealt  
with in the not too distant future).

I think we should take opportunities to make steps forward as we  
integrate, but we shouldn't hold up critical path items for non  
critical path concerns (don't let the "better" become the enemy of  
the "good enough"). I'm happy with whatever name is agreed (and I'm  
happy to let Oscar choose, myself), but let's recognize this VO as  
bootstrapping and that we'll likely have to revise as we move forward  
and move on. For example, we could debate whether we want a "big  
endian" (like OID) or a "little endian" (like DNS) namespace. All  
needs to be settled, but isn't defined today. If we can reach  
consensus quickly - fine - but the debate on the EGEE lists has  
lasted quite a while now just there.

I think a better way to frame the same question is:  What VOs do  
people have in the GIN grids now and how will we deal with namespaces  
as we pull THOSE VOs in as cross-grid authorities ?  (There's another  
inventory that it would be good for someone to push -- by the way,  
haven't seen anything more back on the CA inventory  
contributions ;-))  Buys us a few weeks at least to discuss (and we  
can reform the GIN* VO as needed to deal with the resulting  
convention) while we continue to make progress in the here and now.

Cheers,
Dane

On Mar 2, 2006, at 3:57 PM, Oxana Smirnova wrote:

> Hi,
>
> I'm sorry, but what if soon somebody else will create a VO called  
> GIN? How can we tell one from anther? Maybe such a VO already  
> exists and we are going to infringe on somebody's rights?
>
> What I mean, please let's call it GRID.GIN, or GGF.GIN, or at least  
> (worse is only simply GIN) GIN.GGF.ORG, before we all agree on  
> globally unique VO names. Oscar, you should know better than  
> anybody else about the "FUSION" VO name clash couple of weeks ago.
>
> Cheers,
> Oxana
>
> Oscar Koeroo пишет:
>> Hi Dane,
>> I will create a new VO called "GIN" in the morning (Central  
>> European Time) which means a new VOMS Admin instance and a new  
>> VOMS daemon (AC provider).
>> It will have the grid-mapfile interface limited to everybody who  
>> can present a user/hostcertificate signed by a CA within the IGTF  
>> (standard policy but I can be more flexibel for the GIN VO).
>> I'll email to this list about the coordinates of the VOMS server.
>>    Oscar
>> Dane Skow wrote:
>>>
>>> Thanks for the ping Erwin. I'm sorry for the slow response. Yes,  
>>> I  think we should take you up on the offer. I've done a quick  
>>> survey of  those who mentioned interest in running a VOMS and the  
>>> other options  would have greater startup delays and effort. I  
>>> like the "GIN" name.   Oscar can you let us know when this is  
>>> setup and how to register  people's certificates ? Once we have  
>>> this ready, we should announce  it to the full GIN at ggf.org list  
>>> since the other groups will likely  want to start registering too.
>>>
>>> To be clear, we want both VOMS functions (right?):  to be able  
>>> to  generate a list of DNs (for constructing a gridmapfile  
>>> snippet) and  the ability to generate VOMS authorization  
>>> attributes so people can  use whichever
>>> combination they need to get started. I think we'll likely have a  
>>> mix  of gridmapfiles and authorization service calls for a while  
>>> yet.
>>>
>>> Dane
>>>
>>> On Mar 2, 2006, at 2:42 AM, Erwin Laure wrote:
>>>
>>>> Hi Dane,
>>>>
>>>> Was there already a decision which VOMS server to use? I  
>>>> haven't  heard anything so I assume it will be the NIKHEF one.
>>>>
>>>> Cheers,
>>>>
>>>> -- Erwin
>>>>
>>>> Erwin Laure wrote:
>>>>
>>>>> Hi Dane et al.,
>>>>> This is a very good plan.
>>>>> EGEE could offer our existing VOMS service that runs in NIKHEF   
>>>>> (Oscar Koeroo, cc'ed, is the responsible for the system) and   
>>>>> already serves a number EGEE pre-production VOs.
>>>>> I'd suggest we call the VO "gin" ;-)
>>>>> Cheers,
>>>>> -- Erwin
>>>>> Dane Skow wrote:
>>>>>
>>>>>>
>>>>>> First copy of this didn't get through due to list problem.   
>>>>>> Hopefully  fixed now.
>>>>>> D
>>>>>>
>>>>>> On Feb 23, 2006, at 11:23 AM, Dane Skow wrote:
>>>>>>
>>>>>>>
>>>>>>> Oxana brought up the excellent suggestion that we should   
>>>>>>> quickly  create a VOMS service for persons working on  
>>>>>>> bringing  up the  MultiGrid interoperation. Since we need to  
>>>>>>> identify a  manageable  set of DNs for early adopters to  
>>>>>>> enable and clearly  identify them  (and they will be involved  
>>>>>>> in different groups),  and we're  consolidating on the VOMS  
>>>>>>> authorization info for now,  this seems  like a good  
>>>>>>> bootstrap idea. Rhys from APAC has  offered to setup  such a  
>>>>>>> VOMS service but is checking on the  timescale that could be   
>>>>>>> done. Is there someone else ready and  eager to setup a VOMS   
>>>>>>> instance so we can get started with  identifying people  
>>>>>>> working on  GIN ?
>>>>>>>
>>>>>>> Another thing I've started is a matrix of CA usage by the   
>>>>>>> various  grids (updated by David Groep and Yoshio Tanaka -   
>>>>>>> thanks). I've  discovered this list is rather larger than I   
>>>>>>> expected and that it's  changing quickly as people move  
>>>>>>> forward  on interoperation, but I  think there may be value  
>>>>>>> in creating a  snapshot of what our grids  use now. It may  
>>>>>>> not be worth the  effort to try to keep a current  master  
>>>>>>> list, but we can see.   I'll keep a current copy at http://  
>>>>>>> www.mcs.anl.gov/~skow/GIN/ GIN-CAs.xls if folks send me  
>>>>>>> their  updates (at least til we get  a full coverage).
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Dane
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>

More information about the gin-auth mailing list