[glue-wg] Updated version of appendix D.
Paul Millar
paul.millar at desy.de
Mon Jan 28 12:37:05 CST 2008
On Monday 28 January 2008 15:49:48 Burke, S (Stephen) wrote:
> Paul Millar [mailto:paul.millar at desy.de] said:
> > This would require specify a schema-name part for FQAN. For
> > example, this
> > could be "fqan", with "fqan:/vo.example.org/Role=An-example"
>
> This is still under debate, we need some way of representing authz info
> but no-one is quite sure what the best way is. The current (1.3)
> solution does do pretty much what you suggest, in fact we publish
> something like "VOMS:/atlas/Role=Production", as well as the traditional
> "VO:atlas" form.
Ah, so we could use the "voms" schema-type, rather than "fqan", and perhaps
deprecate vo:atlas in favour of voms:/atlas ?
> One question is whether we would ever need to be able
> to support more than one authz scheme for the same resource/service.
I don't know how widely know this is, but there's a UK-base JISC project
(VPMan) that is looking into "merging" multiple authorisation schemes. Part
of the project involved a use-case capture, which is available here:
http://sec.cs.kent.ac.uk/vpman/D1-2v1.doc
(I've placed a PDF version here:
http://www.desy.de/%7Epaul/tmp/D1-2v1.pdf
but some of the diagrams seem to have been lost)
In particular, they mention VOMS and PERMIS, but Shibboleth also gets a
mention.
HTH,
Paul.
More information about the glue-wg
mailing list