[OGSA-AUTHZ] checkpointing the discussion on VO attributes
Valerio Venturi
valerio.venturi at cnaf.infn.it
Mon Jan 21 09:33:30 CST 2008
On Mon, 2008-01-21 at 14:48 +0000, David Chadwick wrote:
> Hi Valerio
>
> concerning the VO attribute I am not strongly for or against either
> approach, so I will sit on the fence on this one. (But I am strongly in
> favour of choosing one of them).
I agree, we'll choose one.
> Concerning the role attribute, I would strongly prefer the friendly name
> to be VOMSrole rather than role, since the syntax and semantics are VOMS
> specific creations. Role is already a standard attribute in X.509 and is
> a different syntax to your syntax. In PERMIS, we have defined the
> PermisRole attribute which does not have the same syntax as yours or
> X.509 (ours is just a string, any old string) and since it is different
> from the role attribute which is standardised in X.509 we did not call
> it simply role.
Ok for the name. But what about the syntax? Do you like the @ for
scoping?
Valerio
> regards
>
> David
>
>
> Valerio Venturi wrote:
> > Hi,
> > I'll try to checkpoint the discussion had so far.
> >
> > As Krzysztof is planning to serve more than one VO with the same
> > service, we cannot have a one to one relationship between entityIDs and
> > VOs, this imply the need of having a VO attribute. Which was also more
> > or less David's concern, an authority being able to assert whatever it
> > wants. If we go wiht this, the VO attribute stays.
> > We have two proposal so far. Tom suggested to use the MACE-Dir
> > eduPersonScopedAffiliation attribute
> >
> > <saml:Attribute
> > xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
> > xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
> > ldapprof:Encoding="LDAP"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> > FriendlyName="eduPersonScopedAffiliation">
> > <saml:AttributeValue
> > xsi:type="xs:string">member at voName
> > </saml:AttributeValue>
> > </saml:Attribute>
> >
> > while in our first draft Krzysztof and I suggested the use of a specific
> >
> > <saml:Attribute
> > xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > Name="uri_to_define"
> > FriendlyName="vo"
> > xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> > <saml:AttributeValue xsi:type="xsd:string">
> > voName
> > </saml:AttributeValue>
> > </saml:Attribute>
> >
> > Let's try to agree on one.
> >
> > There were concerns about Tom's proposal to use Grouper to express
> > groups, specifically about the contents being an URN. Anyway, the
> > specification doesn't mandate them to be URN, it recommends to use URIs
> > is uniqueness is to eb achieved.
> >
> > Other concerns with using this?
> >
> > Still we have no suggestions for expressing roles, apart from the
> > initial (but I have made the group syntax homogeneous with the above)
> >
> > <saml:Attribute
> > xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > Name="uri_to_define"
> > FriendlyName="role"
> > xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> > <saml:AttributeValue xsi:type="xsd:string">
> > VO-Admin at vo
> > </saml:AttributeValue>
> > <saml:AttributeValue xsi:type="xsd:string">
> > SoftwareManager at vo:group:subgroup
> > </saml:AttributeValue>
> > </saml:Attribute>
> >
> > that seems to receive more favor than the one with the scope attributes.
> >
> > What problems can you see with that?
> >
> > Valerio
> >
> >
> >
> >
> >
> > --
> > ogsa-authz-wg mailing list
> > ogsa-authz-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> >
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
More information about the ogsa-authz-wg
mailing list