[OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Markus Lorch
mlorch at vt.edu
Mon Feb 21 19:36:09 CST 2005
Hi All,
I have written a document for the OGSA AuthZ WG that discribes how we
use obligations in the privilege project for the Open Science Grid.
I have uploaded the document to grid forge at
/projects/ogsa-authz/document/SAML-Obligation-Extensions-used-in-OSG/en/1.
In short I decided to follow David's proposal for an
ObligatedAuthorizationDecisionStatement
but used the "Obligation" element as an extension point. I then implemented
an
XACML Obligation. (others could choose to implement PonderObligation)
I found that all the obligations I want to convey are naturally expressed as
attribute assignments (see examples in the document). While there may be
semantic negotiation issues (which we also have for standard attributes) I
like the possible integration path with XACML over SAML and the ease with
which
I can define an obligation in an XACML policy and have it with no effort
appear in the decision statement.
I continue to believe that we should move away from the SAML Authorization
Decision Statement towards the use of XACML over SAML in the long run.
(see my email from Sept. 23, 2004)
I won't be able to attend GGF13. Hope y'all have a great meeting
Markus
----------------------------------------------------------------
Markus Lorch
Department of Computer Science Phone: +1 540 231 5914
Virginia Tech, m/c 106 Fax: +1 540 231 6075
Blacksburg, VA 24061, U.S.A. http://people.cs.vt.edu/~mlorch
More information about the ogsa-authz-wg
mailing list