[OGSA-AUTHZ] Implementations

[Tom Scavo]

On Fri, Mar 21, 2008 at 9:36 AM, Valerio Venturi
<valerio.venturi at cnaf.infn.it> wrote:
>  The authorization problem is still unsorted. Currently the prototype
>  allows for specifying which subjects are allowed to query for other
>  subjects.

Right, you could implement something at the attribute authority (AA)
that suitably restricts the set of requesters, but that doesn't solve
the problem.  Since the profile specifies that the name identifier in
the query is a DN, there is no way to prove user presence at the Grid
SP.  Without proof of user presence, an SP could phish for attributes
to its heart's content.

Note there is no such problem for the self-query (of which traditional
VOMS is an example), rather the problem involves a query where the
requester is acting on behalf of the subject.  In that case, the
subject must pass some piece of information to the Grid SP that the SP
can forward to the AA.  In Shibboleth attribute query, for example,
that piece of information is a transient and/or encrypted identifier.
We don't have that here, and so the profile is lacking.

Consequently, I'm convinced we've specified the name identifier in the
query (DN) incorrectly.  The requester has to prove user presence.
More than a  DN is needed.  Since the user is authenticating to the
Grid SP with an X.509 certificate, the obvious conclusion is that 1)
there is some piece of info in the cert that proves user presence, and
2) the SP passes the complete cert (not just the DN) to the AA.

>  I have seen that an implementation for the SAML Attribute Query for
>  X.509 Subjects has made in as a Google Summer of Code 2008 project
>  mentored by Globus. Keep us informed about the thing and let us know if
>  you think that VOMS or UVOS implementations can somehow participate in
>  the demo.

Thanks, I'll do that.

Tom