[OGSA-AUTHZ] VO SAML Attribute Profile
Tom Scavo
trscavo at gmail.com
Tue Feb 5 14:31:16 CST 2008
On Feb 5, 2008 9:03 AM, Krzysztof Benedyczak <golbi at mat.uni.torun.pl> wrote:
> Tom Scavo wrote:
> >
> > Does anyone see a downside to such a naming scheme?
>
> Well, I can't really see the reason for putting http:// there, and
> making it a URL. It'll confuse everybody, actually the above text
> confuses even my MUA - thuderbird - which allows me to click at those
> example attributes' values.
Yes, that's a minor annoyance with URL syntax, I suppose.
> My and I think general view on URL is that
> it identifies a resource via a representation of its access mechanism -
> and it is not true in this case.
>
> In another words, without very serious reason I wouldn't use http://
> URLs for things that aren't by any mean resources accessible via HTTP
> protocol.
A URL need not be resolvable. SAML, for example, recommends URLs for
entityIDs (which are formally required to be URIs).
> Looking at the other end of your proposition - scoped attribute value
> encoded with '#':
>
> <whatever>/gisolve.org/uiuc.edu/geog602#student
>
> is nearly the same as my original proposition. My was:
>
> /gisolve.org/uiuc.edu/geog602:student
I should have paid more attention, sorry. I believe we've
independently come to more-or-less the same conclusion.
> Valerio convinced me that it will be better to use the same notation
> that MACE profile defines (with '@').
That was my initial inclination as well, but I'm having second thoughts.
> Parsing is trivial in any case.
> The only one tiny issue is to define which are reserved chars and how to
> escape them. Of course URI encoding rules with percent encoding of
> special characters is fine.
That's another reason for choosing URIs, the encoding is well defined.
> Eventually one minor note: all those examples above should contain vo
> service id as the "host" component (see the rest of discussion - one
> service can manage many VOs). E.g.:
>
> http://voservice.uiuc.edu/gissolve/uiuc.edu/geog602#student
Good point.
> To summarize: I don't think that a URL is a good choice, a URI is fine
> with me,
Okay, let me propose the following compromise:
group://voservice.uiuc.edu/gisolve.org/uiuc.edu/geog602#student
In the case where the voservice is irrelevant or unnecessary, this reduces to
group:///gisolve.org/uiuc.edu/geog602#student
In fact, the syntax is exactly the same as the well-known file: URIs.
What do you think? Is this better?
> however at least partial compatibility with MACE-dir is
> tempting too - that's why we proposed @ notation.
I think we should give this profile our best shot, and then I'd be
happy to carry it forward to MACE-Dir for further discussion.
Tom
More information about the ogsa-authz-wg
mailing list