[OGSA-AUTHZ] VOMS Primary Attribute
Vincenzo Ciaschini
vincenzo.ciaschini at cnaf.infn.it
Wed Jan 31 10:08:37 CST 2007
Hi David,
David Chadwick wrote:
>
> Valerio Venturi wrote:
>
>>On Mon, 2007-01-29 at 20:10 +0000, David Chadwick wrote:
>>
>>
>>>>* VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning
>>>>of the primary type must be explicit rather than implicit (as
>>>>currently done via sequence) Awaiting response from VOMS group
>>
>>What we haven't understood so far is why an explicit primary attribute
>>is needed rather then an implicit one and what needs an eventual change
>>in VOMS AC format would address.
>
>
> Hi Valerio
>
> The OGSA Authz group is not saying that an explicit primary attribute is
> needed. It is saying that if you have a set of attributes, then they are
> all the same, and should be treated as all being the same, and you
> cannot imply something special for the first one in the list, since the
> order may not be maintained by intermediate processing nodes, or even by
> software modules within one system.
Ahhhh.... I think that there is a misunderstanding here. It is
certainly true that a single Attribute object may contain a SET OF
AttributeValue, thus creating the problem you just described. However,
the VOMS attribute is defined as such, as you may also see in the profile:
name : voms-attribute
OID : { voms 4 }
syntax : IetfAttrSyntax
values : Multiple not allowed
This means that only one value may be present in there.
The different FQAN are then encoded in that single value in a sequence.
Evaluating nodes are so required to keep the order to comply with ASN.1
decoding rules, thus eliminating the issue.
Ciao,
Vincenzo
More information about the ogsa-authz-wg
mailing list