[OGSA-AUTHZ] checkpointing the discussion on VO attributes

Valerio Venturi valerio.venturi at cnaf.infn.it
Mon Jan 21 09:33:30 CST 2008 

On Mon, 2008-01-21 at 14:48 +0000, David Chadwick wrote:
> Hi Valerio
> 
> concerning the VO attribute I am not strongly for or against either 
> approach, so I will sit on the fence on this one. (But I am strongly in 
> favour of choosing one of them).

I agree, we'll choose one.

> Concerning the role attribute, I would strongly prefer the friendly name 
> to be VOMSrole rather than role, since the syntax and semantics are VOMS 
> specific creations. Role is already a standard attribute in X.509 and is 
> a different syntax to your syntax. In PERMIS, we have defined the 
> PermisRole attribute which does not have the same syntax as yours or 
> X.509 (ours is just a string, any old string) and since it is different 
> from the role attribute which is standardised in X.509 we did not call 
> it simply role.

Ok for the name. But what about the syntax? Do you like the @ for
scoping?

Valerio

> regards
> 
> David
> 
> 
> Valerio Venturi wrote:
> > Hi,
> > I'll try to checkpoint the discussion had so far.
> > 
> > As Krzysztof is planning to serve more than one VO with the same
> > service, we cannot have a one to one relationship between entityIDs and
> > VOs, this imply the need of having a VO attribute. Which was also more
> > or less David's concern, an authority being able to assert whatever it
> > wants. If we go wiht this, the VO attribute stays.
> > We have two proposal so far. Tom suggested to use the MACE-Dir
> > eduPersonScopedAffiliation attribute
> > 
> > <saml:Attribute
> >   xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >   xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
> >   xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
> >   ldapprof:Encoding="LDAP"
> >   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >   Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> >   FriendlyName="eduPersonScopedAffiliation">
> >   <saml:AttributeValue        
> >     xsi:type="xs:string">member at voName
> >   </saml:AttributeValue>
> > </saml:Attribute>
> > 
> > while in our first draft Krzysztof and I suggested the use of a specific
> > 
> > <saml:Attribute 
> >   xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >   Name="uri_to_define"
> >   FriendlyName="vo"
> >   xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> >   <saml:AttributeValue xsi:type="xsd:string">
> >     voName 
> >   </saml:AttributeValue>
> > </saml:Attribute>
> > 
> > Let's try to agree on one.
> > 
> > There were concerns about Tom's proposal to use Grouper to express
> > groups, specifically about the contents being an URN. Anyway, the
> > specification doesn't mandate them to be URN, it recommends to use URIs
> > is uniqueness is to eb achieved.
> > 
> > Other concerns with using this?
> > 
> > Still we have no suggestions for expressing roles, apart from the
> > initial (but I have made the group syntax homogeneous with the above)
> > 
> > <saml:Attribute
> >   xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >   Name="uri_to_define"
> >   FriendlyName="role"
> >   xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> >   <saml:AttributeValue xsi:type="xsd:string">
> >     VO-Admin at vo
> >   </saml:AttributeValue>
> >   <saml:AttributeValue xsi:type="xsd:string">
> >     SoftwareManager at vo:group:subgroup
> >   </saml:AttributeValue>
> > </saml:Attribute>
> > 
> > that seems to receive more favor than the one with the scope attributes.
> > 
> > What problems can you see with that?
> > 
> > Valerio
> > 
> > 
> > 
> > 
> > 
> > --
> >   ogsa-authz-wg mailing list
> >   ogsa-authz-wg at ogf.org
> >   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> > 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************

More information about the ogsa-authz-wg mailing list