[voms-proc-wg] VOMSPROC WG session and strawman document

David Groep davidg at nikhef.nl
Thu Oct 11 12:08:22 EDT 2012 

Hi Andrea, all

On 2012-10-11 10:39, Andrea Ceccanti wrote:
> - I've already shared at large my perplexities about having more than one AC
> in the VOMS extension.
> I think that was a design flaw. There are no use cases. The VOMS AC format and
> all documents in preparation
> should be updated to address this flaw, as the VOMS libraries are.

The multiple-VO eature might actually be useful if only to copy data
between two VOs by the user, but I think Mike as some actual
current use cases for it.
Generalising, the VOMS ACs are just a source of attribute, and as long as you
can identify which attributes come from which source (the FQANs and tags are
scoped to the VO), I don't yet see why this would be a design flaw ;-)

> - Computing the intersection of a set of attributes coming from several ACs in
> the chain poses the problem of
> stating how the order of the attributes is computed when is different in the
> ACs. The document should address
> this, e.g. proposing that the the order of the AC result of the original user
> delegation is enforced.

Fully agree: the ordering section of the document is still missing, and
we should think about what a user 'expects' in this case. Should a downstream
service be able to 'select' a new primary FQAN by itself (i.e. on a service
then selecting a new primary when writing data files)? But then the
user may not 'know' this was to happen.
I can see cases for either option, and the document should indeed be explicit
in what is to be allowed.

And: thanks a lot for the comments!

	Cheers,
	DavidG.

> 
> Cheers,
> Andrea
> 
> 
> 
> Il 10/10/12 21.47, David Groep ha scritto:
>> Dear all,
>>
>> In preparation for the VOMSPROC WG session, the Redmine project for
>> the WG has been populated (finally), and the list of documents and the
>> agreed rough outline added to the Wiki
>>
>>    http://redmine.ogf.org/projects/voms-proc-wg/wiki
>>
>> There is also a strawman document for the first work item ("VOMS
>> Attribute Certificate Parsing Rules for Chained Identity Credentials")
>> which I admit it incomplete (it lacks a description of how today the
>> 'primary FQAN' is determined), but at least should have enough
>> controversial material in it to trigger discussion.
>>
>> Please go to the OGF redmine project at
>>    http://redmine.ogf.org/projects/voms-proc-wg
>> and forward this information as relevant. Everyone is welcome to subscribe
>> to the mailing list (<http://www.ogf.org/pipermail/voms-proc-wg/>)
>> and lets hope we can get this done.
>>
>> In particular, we will soon need a discussion on the second work item
>> regarding SAML delegation and how to interpret effective attributes
>> in that context. VOMS can produce SAML statements, but I think the
>> issue is slightly wider and would benefit from such wider input.
>>
>> Hope to see many of you at the VOMSPROC WG session!
>>
>>     Best,
>>     DavidG.
>>
> 
> 


-- 
David Groep

** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

More information about the voms-proc-wg mailing list