[OGSA-AUTHZ] Primary VO/group

David Chadwick d.w.chadwick at kent.ac.uk
Wed Nov 1 08:20:21 CST 2006 


Joni Hahkala wrote:

>>
>> If this is the case then the "primary" tag would need to be separately 
>> shown inside the proxy cert.
> 
> Yes, if ordering would not be used as the deciding factor then there 
> would be need for a separate tag either as a proxy extension or within 
> the VOMS extension structure, for example within (or end of) the list of 
> ACs.

If this is the case, then I can see little benefit in doing it via the 
proxy cert, since the AC validating component will need to tag the first 
attribute in the first AC as the primary one in an internal 
implementation dependent way, regardless of whether this is based on 
ordering of the ACs or a tag in the proxy cert.

What Frank was suggesting was that the primary flag was incorporated 
into the attribute type of an AC so that no special implementation 
dependent way of processing was needed by the service provider.

So, I suggest the following as an improved way of working.

1. The user knows prior to job submission which attribute he wants to be 
his primary one for this grid job.
2. The user contacts the various VOMS servers in any order he chooses 
and asks for the various attributes to be put into ACs and returned to him.
3. The user signals the VOMS server that holds his primary attribute for 
this grid job, to flag this chosen attribute as the primary one, and to 
return this inside the AC marked as the primary attribute (using a 
method similar to the eduPerson one outlined earlier).
4. The ACs are packaged into the proxy cert in a random order, since now 
we have a primary flag embedded into one of the attribute types in one 
of the ACs, so ordering is no longer needed.

regards

David




> 
> Cheers,
> Joni
>>
>> regards
>>
>> David
>>
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list