[OGSA-AUTHZ] checkpointing the discussion on VO attributes
David Chadwick
d.w.chadwick at kent.ac.uk
Mon Jan 28 07:33:52 CST 2008
You can if you want. I have the other two docs to edit
David
Valerio Venturi wrote:
> Ok, looks like we have agreements on most of the point. Who takes the
> pen?
> Blair, DavidG, what about the chances that this may become an OGF doc?
> If there are some, we'll go with the OGF doc template.
>
> Valerio
>
>
> On Mon, 2008-01-21 at 15:22 +0100, Valerio Venturi wrote:
>> Hi,
>> I'll try to checkpoint the discussion had so far.
>>
>> As Krzysztof is planning to serve more than one VO with the same
>> service, we cannot have a one to one relationship between entityIDs and
>> VOs, this imply the need of having a VO attribute. Which was also more
>> or less David's concern, an authority being able to assert whatever it
>> wants. If we go wiht this, the VO attribute stays.
>> We have two proposal so far. Tom suggested to use the MACE-Dir
>> eduPersonScopedAffiliation attribute
>>
>> <saml:Attribute
>> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
>> xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
>> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
>> ldapprof:Encoding="LDAP"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
>> FriendlyName="eduPersonScopedAffiliation">
>> <saml:AttributeValue
>> xsi:type="xs:string">member at voName
>> </saml:AttributeValue>
>> </saml:Attribute>
>>
>> while in our first draft Krzysztof and I suggested the use of a specific
>>
>> <saml:Attribute
>> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> Name="uri_to_define"
>> FriendlyName="vo"
>> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
>> <saml:AttributeValue xsi:type="xsd:string">
>> voName
>> </saml:AttributeValue>
>> </saml:Attribute>
>>
>> Let's try to agree on one.
>>
>> There were concerns about Tom's proposal to use Grouper to express
>> groups, specifically about the contents being an URN. Anyway, the
>> specification doesn't mandate them to be URN, it recommends to use URIs
>> is uniqueness is to eb achieved.
>>
>> Other concerns with using this?
>>
>> Still we have no suggestions for expressing roles, apart from the
>> initial (but I have made the group syntax homogeneous with the above)
>>
>> <saml:Attribute
>> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> Name="uri_to_define"
>> FriendlyName="role"
>> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
>> <saml:AttributeValue xsi:type="xsd:string">
>> VO-Admin at vo
>> </saml:AttributeValue>
>> <saml:AttributeValue xsi:type="xsd:string">
>> SoftwareManager at vo:group:subgroup
>> </saml:AttributeValue>
>> </saml:Attribute>
>>
>> that seems to receive more favor than the one with the scope attributes.
>>
>> What problems can you see with that?
>>
>> Valerio
>>
>>
>>
>>
>>
>
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list