[OGSA-AUTHZ] Primary VO/group
David Chadwick
d.w.chadwick at kent.ac.uk
Wed Nov 1 08:20:21 CST 2006
Joni Hahkala wrote:
>>
>> If this is the case then the "primary" tag would need to be separately
>> shown inside the proxy cert.
>
> Yes, if ordering would not be used as the deciding factor then there
> would be need for a separate tag either as a proxy extension or within
> the VOMS extension structure, for example within (or end of) the list of
> ACs.
If this is the case, then I can see little benefit in doing it via the
proxy cert, since the AC validating component will need to tag the first
attribute in the first AC as the primary one in an internal
implementation dependent way, regardless of whether this is based on
ordering of the ACs or a tag in the proxy cert.
What Frank was suggesting was that the primary flag was incorporated
into the attribute type of an AC so that no special implementation
dependent way of processing was needed by the service provider.
So, I suggest the following as an improved way of working.
1. The user knows prior to job submission which attribute he wants to be
his primary one for this grid job.
2. The user contacts the various VOMS servers in any order he chooses
and asks for the various attributes to be put into ACs and returned to him.
3. The user signals the VOMS server that holds his primary attribute for
this grid job, to flag this chosen attribute as the primary one, and to
return this inside the AC marked as the primary attribute (using a
method similar to the eduPerson one outlined earlier).
4. The ACs are packaged into the proxy cert in a random order, since now
we have a primary flag embedded into one of the attribute types in one
of the ACs, so ordering is no longer needed.
regards
David
>
> Cheers,
> Joni
>>
>> regards
>>
>> David
>>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list