[OGSA-AUTHZ] Updated version of VOMS Specification
Blair Dillaway
blaird at exchange.microsoft.com
Fri Apr 28 11:59:46 CDT 2006
Vincenzo,
In reading this draft I've found a few places I believe would benefit from some additional clarification.
(1) 3.1.1 - "As a consequence of this, in VOMS ACs the only admissible choice for the field is the baseCertificateID."
You might re-write this to say the holder field MUST include the baseCertificateID field and omit the entityName and objectDigestInfo fields. The syntax defines a sequence of 3 optional fields, not a choice.
(2) 3.4.1.2 - "Where <root group> is by convention the name of the virtual organization."
The document seems to imply this is a required encoding for interoperability purposes. If so, its not just a convention. You should clarify if this is a MUST, SHOULD, or RECOMMENDED encoding.
(3) 3.4.1.2 - "Future compatibility issue: It is possible that in the future a /Role=NULL component may be omitted in its entirety. The same goes for a /Capability=NULL part. Conforming applications SHOULD be prepared to handle these cases."
The previous paragraph states "The /Capability=<capability name> part is deprecated....". If so, I assume conforming implementations SHOULD always omit the /Capability part whether or not its null. Having it be deprecated and noting it may disappear in the future seem to be in conflict.
Also the statement that /Role=NULL *may* be omitted in the future seems to be in conflict with the examples in 3.4.1.3. The compact format shown does omit Role=NULL. If this is allowed, then the 'in the future' qualification should be removed. It should be stated if the compact format is recommended, required, or simply a supported encoding option.
(4) 3.4.2.2 - "A name-specific syntax that encodes multiple values in a single pair is also allowed."
Examples of a single value and multiple value encoding would be helpful here. The syntax in 3.4.2.1 indicates a Tag includes only a single name, value, and qualifier field. I assume how multiple values are encoded into the value field should be specified for interop purposes.
Regards,
Blair
> -----Original Message-----
> From: owner-ogsa-authz at ggf.org
> [mailto:owner-ogsa-authz at ggf.org] On Behalf Of Vincenzo Ciaschini
> Sent: Friday, April 28, 2006 6:34 AM
> To: ogsa Authz
> Subject: [OGSA-AUTHZ] Updated version of VOMS Specification
>
> Hi to All,
>
> This is the updated document about VOMS specification I
> promised yesterday.
>
> Apart from a few minor language clarifications, the main
> changes are in the following sections:
>
> 3.4.1 clarifications about the syntax of FQANs.
> 3.4.2 rewritten, with a (slight) change in format.
> 3.5.1 explanation rewritten. The previous explanation was the exact
> opposite of the truth. OOPS!
>
> Also, the AC example in section5 has been substituted with a
> more complete one.
>
> Bye,
> Vincenzo
>
>
More information about the ogsa-authz-wg
mailing list