Hi Vincenzo If something is defined as a sequence, then order is important and it should be maintained. So it would appear that you are doing things correctly in your implementation. Whether it is the best way of doing it or not, is open to debate. But it is your implementation and your choice regards David Vincenzo Ciaschini wrote:
Hi David,
David Chadwick wrote:
Valerio Venturi wrote:
On Mon, 2007-01-29 at 20:10 +0000, David Chadwick wrote:
* VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning of the primary type must be explicit rather than implicit (as currently done via sequence) Awaiting response from VOMS group
What we haven't understood so far is why an explicit primary attribute is needed rather then an implicit one and what needs an eventual change in VOMS AC format would address.
Hi Valerio
The OGSA Authz group is not saying that an explicit primary attribute is needed. It is saying that if you have a set of attributes, then they are all the same, and should be treated as all being the same, and you cannot imply something special for the first one in the list, since the order may not be maintained by intermediate processing nodes, or even by software modules within one system.
Ahhhh.... I think that there is a misunderstanding here. It is certainly true that a single Attribute object may contain a SET OF AttributeValue, thus creating the problem you just described. However, the VOMS attribute is defined as such, as you may also see in the profile:
name : voms-attribute OID : { voms 4 } syntax : IetfAttrSyntax values : Multiple not allowed
This means that only one value may be present in there.
The different FQAN are then encoded in that single value in a sequence.
Evaluating nodes are so required to keep the order to comply with ASN.1 decoding rules, thus eliminating the issue.
Ciao, Vincenzo
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************