On Monday 28 January 2008 15:49:48 Burke, S (Stephen) wrote:
Paul Millar [mailto:paul.millar@desy.de] said:
This would require specify a schema-name part for FQAN. For example, this could be "fqan", with "fqan:/vo.example.org/Role=An-example"
This is still under debate, we need some way of representing authz info but no-one is quite sure what the best way is. The current (1.3) solution does do pretty much what you suggest, in fact we publish something like "VOMS:/atlas/Role=Production", as well as the traditional "VO:atlas" form.
Ah, so we could use the "voms" schema-type, rather than "fqan", and perhaps deprecate vo:atlas in favour of voms:/atlas ?
One question is whether we would ever need to be able to support more than one authz scheme for the same resource/service.
I don't know how widely know this is, but there's a UK-base JISC project (VPMan) that is looking into "merging" multiple authorisation schemes. Part of the project involved a use-case capture, which is available here: http://sec.cs.kent.ac.uk/vpman/D1-2v1.doc (I've placed a PDF version here: http://www.desy.de/%7Epaul/tmp/D1-2v1.pdf but some of the diagrams seem to have been lost) In particular, they mention VOMS and PERMIS, but Shibboleth also gets a mention. HTH, Paul.