[OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid

Wed Feb 23 11:42:35 CST 2005

Apparently this version of the PDF had some formatting issues and cut of
some of the characters, thus I made yet another PDF and uploaded it:
https://forge.gridforum.org/projects/ogsa-authz/document/SAML-Obligation-Ext
ensions-used-in-OSG/en/3

Maybe it would be easier if interested parties looked directly at the
source document of OSG:
https://plone3.fnal.gov/opensciencegrid/techgroups/tg-policy/vo-privilege/sa
ml-with-obligations/document_view

Markus

> -----Original Message-----
> From: owner-ogsa-authz at ggf.org 
> [mailto:owner-ogsa-authz at ggf.org] On Behalf Of Markus Lorch
> Sent: Tuesday, February 22, 2005 9:41 AM
> To: 'Tom Barton'; ogsa-authz at ggf.org
> Subject: RE: [OGSA-AUTHZ] Use of Obligations in the Privilege 
> Project Authorizaiton Infrastructure for OpenScienceGrid
> 
> 
> 
> Sorry guys, I must have selected the wrong file type originally.
> A new version (PDF) with the appropriate filetype is at
> https://forge.gridforum.org/projects/ogsa-authz/document/SAML-
> Obligation-Ext
> ensions-used-in-OSG/en/2
> 
> or alternatively: http://tinyurl.com/5uuke
> 
> Markus
> 
> 
> > -----Original Message-----
> > From: Tom Barton [mailto:tbarton at uchicago.edu] 
> > Sent: Tuesday, February 22, 2005 7:23 AM
> > To: Markus Lorch
> > Subject: Re: [OGSA-AUTHZ] Use of Obligations in the Privilege 
> > Project Authorizaiton Infrastructure for OpenScienceGrid
> > 
> > 
> > Markus,
> > 
> > I'm not able to open that file - it seems to be a pdf, but 
> > gridforge has 
> > it wrapped up as plain text. Could you fix it?
> > 
> > Thanks,
> > Tom
> > 
> > Markus Lorch wrote:
> > > Hi All,
> > > 
> > > I have written a document for the OGSA AuthZ WG that 
> > discribes how we 
> > > use obligations in the  privilege project for the Open 
> > Science Grid. 
> > > I have uploaded the document to grid forge at
> > > 
> > /projects/ogsa-authz/document/SAML-Obligation-Extensions-used-
> > in-OSG/en/1.
> > > 
> > > In short I decided to follow David's proposal for an
> > > ObligatedAuthorizationDecisionStatement
> > > but used the "Obligation" element as an extension point. I 
> > then implemented
> > > an
> > > XACML Obligation. (others could choose to implement 
> > PonderObligation)
> > > 
> > > I found that all the obligations I want to convey are 
> > naturally expressed as
> > > attribute assignments (see examples in the document). While 
> > there may be 
> > > semantic negotiation issues (which we also have for 
> > standard attributes) I 
> > > like the possible integration path with XACML over SAML and 
> > the ease with
> > > which 
> > > I can define an obligation in an XACML policy and have it 
> > with no effort 
> > > appear in the decision statement. 
> > > 
> > > I continue to believe that we should move away from the 
> > SAML Authorization 
> > > Decision Statement towards the use of XACML over SAML in 
> > the long run.
> > > (see my email from Sept. 23, 2004)
> > > 
> > > I won't be able to attend GGF13. Hope y'all have a great meeting
> > > 
> > > Markus
> > > 
> > > ----------------------------------------------------------------
> > > Markus Lorch                     
> > > Department of Computer Science         	Phone: +1 540 231 5914
> > > Virginia Tech, m/c 106                    Fax:	 +1 540 231 6075
> > > Blacksburg, VA 24061, U.S.A.     http://people.cs.vt.edu/~mlorch
> > > 
> > 
>