[OGSA-AUTHZ] VOMS Primary Attribute

[David Chadwick]

Valerio Venturi wrote:
> On Mon, 2007-01-29 at 20:10 +0000, David Chadwick wrote:
>  
>>> * VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning
>>> of the primary type must be explicit rather than implicit (as 
>>> currently done via sequence) Awaiting response from VOMS group
> What we haven't understood so far is why an explicit primary attribute
> is needed rather then an implicit one and what needs an eventual change
> in VOMS AC format would address.

Hi Valerio

The OGSA Authz group is not saying that an explicit primary attribute is 
needed. It is saying that if you have a set of attributes, then they are 
all the same, and should be treated as all being the same, and you 
cannot imply something special for the first one in the list, since the 
order may not be maintained by intermediate processing nodes, or even by 
software modules within one system.

So, if you have a requirement that one attribute value in a set is 
special, then this needs to be explicitly signaled in the protocol. One 
way of doing this is by removing it from the set, and explicitly 
flagging it as a different type of attribute.

There is a good well documented example of this already in the EduPerson 
schema.

> 
>>> * Attribute Retrieval Protocol Added as last meeting OASIS profile
>>> for SAML - Tom Scavo author
>>>
>>> * Von Welch resignation as WG chair Those who are interesting in
>>> replacing Von should send email to David
>>>
>>> * Other business Tom Scavo: Do we need mechanism to bind SAML to
>>> X.509 (equivalent to VOMS)? David: 2005 X.509 has specification for
>>> binding XML to X.509, but doesn't specify XML content Tom Scavo to
>>> investigate how these relate.
> Shouldn't this be done by SubjectConfirmation? Or are you talking about
> assertions travelling within X.509 proxies?

We are talking about passing XML assertions or other XML content in an 
X.509 attribute within an X.509 certificate.

> 
>> David: VOMS is providing a standard SAML protocol interface for picking
>> up VOMS attributes. A beta is supposed to be ready by April 2007
> That's correct David. The protocol is that in SAML V2.0 Profiles for
> X.509 Subject as agreed. We are about to work on the implementation of
> the protocol and we will eventually inform Tom and the authors about any
> issue we may have. Hope it won't be too late by that time but we
> couldn't make it before.

great stuff

David

> 
> Valerio
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************