[Pgi-wg] OGF PGI - Security Model

Duane Merrill dgm4d at virginia.edu
Wed Mar 25 17:23:40 CDT 2009 

These "VOMS extensions" you keep referring to are actually X.509
Attribute Certificates that are well-defined in an IETF RFC and
refined by the OGSA-Authz VOMS doc.  You should call them "VOMS-style
ACs" (since they can be constructed by an authn authority other than
an actual VOMS server.).

Section 7.1.1 needs to be about defining a shared semantics between
attribute documents (specifically VOMS-style ACs and a new PGI
definition of equivalent SAML attribute assertions), which is
something that the strawman doc already does in gory detail.
(Although it needs an updating to reflect the proper authentication of
SAML attribute assertions by Proxy Certificates -- the idealized
Genesis II credentialing mechanism.)

Duane



On 3/25/09, Vincenzo Ciaschini <vincenzo.ciaschini at cnaf.infn.it> wrote:
> Etienne URBAH wrote:
>> Duane,
>>
>>
>> Thank you for your comments.  Please find the original text and my
>> answers inline.
>>
>>
>> Beyond that :
>>
>> 7.9) Semantics and syntax of VOMS extensions and Restriction attributes
>> -----------------------------------------------------------------------
>> I would like to describe (for example in new section 7.9) the semantics
>> and syntax of a RESTRICTED list of VOMS extensions and Restriction
>> attributes that all grid clients MAY use and that all grid services MUST
>> understand.
>>
>> Does anybody have links to such lists ?
>>
>> -  For VOMS extension, the example below gives :
>>    VO,  subject,  issuer,  attribute,  timeleft,  uri
> Just for clarity: attribute is indeed a list of attributes.  There may
> be more than one.
>
> Also, information from more than one VO may be present.
>>
>> -  For other attributes, here is something springing out from my
>> imagination, with semantics and syntax (please criticize) :
>>    -  Assertion of identity :               ID:<FQAN>
>>    -  Assertion of belonging to a group :   GROUP:<FQAN>
>>    -  Authorization to access a resource :  ALLOW:<URI>
>>    -  Interdiction  to access a resource :  DENY:<URI>
>>    -  Authorization to read a file (or a folder, recursively :
>>                                             ALLOW_R:<URI>
>>    -  Authorization to write into a file (or a folder, recursively :
>>                                             ALLOW_W:<URI>
>>    -  Authorization to read and write into a file (or a folder,
>> recursively :                               ALLOW_RW:<URI>
>>    Note that GLUE 2.0 recommends that the URI should be an URN.
>>
>>
>
>>
>> I agree that we have to describe the full list of VOMS extensions with
>> their meaning and syntax (or provide a link to the relevant VOMS
>> specification).
> How about this?
> https://forge.gridforum.org/sf/go/doc13797
> (also referenced in the strawman doc)
>
> If it is unclear, I'd love to receive comments.
>
> Ciao,
>     Vincenzo
>

More information about the Pgi-wg mailing list