[OGSA-AUTHZ] VO SAML Attribute Profile

David Chadwick d.w.chadwick at kent.ac.uk
Thu Jan 17 11:41:07 CST 2008 


Valerio Venturi wrote:
> Hi Chad,
>
> 
>> - Is the VO attribute necessary?  If the assumption is that the VO is 
>> asserting this information then its identifier is already going to be in 
>> the assertion issuer.  I don't know that it hurts to have it twice, and 
>> one reason to do so may be to deal with other SAML implementations that 
>> don't provide access to all the information in the assertion.  Also, as 
>> Tom noted these VOs will need to be URIs now to server at the attribute 
>> authority's entity ID.
> 
> I don't mind that. This way, a consumer would know the subject is in a
> VO based on the fact that the assertion was issued by an entity
> representing a VO. 


Sorry but I dont follow this logic. An assertion issuer may assert 
anything about anybody. It is not wise to assume, for example, that if 
the University of Kent is asserting something about someone that the 
subject is a member of the university of Kent. What logic do you have to 
assume that? Thus I would say that it is unsafe to assume that because a 
VO is asserting something about a subject, that the subject is a member 
of the VO. In my opinion VO membership is a very sensible attribute to 
have asserted by an authoritative source such as a VO manager.

regards

David


Then the consumer is supposed to have knowledge that
> a certain entityID represents a VO. This would leave us with just having
> to agree on a common format for entityIDs for VOs.
> The only problem I would see with that if that if the assertion consumer
> is supposed to compose an authz request decision, XACML for example, she
> would have to create an attribute and fill it with the entityID name.
> One may argue that's not our business to define XACML attributes for
> VOs, but it is to promote interoperabilities with other specs form the
> WG.
> 
>> - In section 5.2 you declare a group attribute. In section 5.3 you 
>> declare roles, within the scope of a group.  However, you don't have any 
>> wording about how you would expect a client to react if a group, given 
>> in the scope qualifier of the role, is not included in the list of 
>> groups the user is a member of?  i.e. role says I'm "admin" in group 
>> "foo", but the group attribute doesn't say I'm in group "foo".
> 
> Is that in the scope of an attribute profile? An implementer may well
> choose to use only the role attriute and not the group.
> 
> Valerio
> 
> 
> 
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list