Valerio Venturi wrote:
Hi Chad,
- Is the VO attribute necessary? If the assumption is that the VO is asserting this information then its identifier is already going to be in the assertion issuer. I don't know that it hurts to have it twice, and one reason to do so may be to deal with other SAML implementations that don't provide access to all the information in the assertion. Also, as Tom noted these VOs will need to be URIs now to server at the attribute authority's entity ID.
I don't mind that. This way, a consumer would know the subject is in a VO based on the fact that the assertion was issued by an entity representing a VO.
Sorry but I dont follow this logic. An assertion issuer may assert anything about anybody. It is not wise to assume, for example, that if the University of Kent is asserting something about someone that the subject is a member of the university of Kent. What logic do you have to assume that? Thus I would say that it is unsafe to assume that because a VO is asserting something about a subject, that the subject is a member of the VO. In my opinion VO membership is a very sensible attribute to have asserted by an authoritative source such as a VO manager. regards David Then the consumer is supposed to have knowledge that
a certain entityID represents a VO. This would leave us with just having to agree on a common format for entityIDs for VOs. The only problem I would see with that if that if the assertion consumer is supposed to compose an authz request decision, XACML for example, she would have to create an attribute and fill it with the entityID name. One may argue that's not our business to define XACML attributes for VOs, but it is to promote interoperabilities with other specs form the WG.
- In section 5.2 you declare a group attribute. In section 5.3 you declare roles, within the scope of a group. However, you don't have any wording about how you would expect a client to react if a group, given in the scope qualifier of the role, is not included in the list of groups the user is a member of? i.e. role says I'm "admin" in group "foo", but the group attribute doesn't say I'm in group "foo".
Is that in the scope of an attribute profile? An implementer may well choose to use only the role attriute and not the group.
Valerio
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************