RE: [OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Sorry guys, I must have selected the wrong file type originally. A new version (PDF) with the appropriate filetype is at https://forge.gridforum.org/projects/ogsa-authz/document/SAML-Obligation-Ext ensions-used-in-OSG/en/2 or alternatively: http://tinyurl.com/5uuke Markus
-----Original Message----- From: Tom Barton [mailto:tbarton@uchicago.edu] Sent: Tuesday, February 22, 2005 7:23 AM To: Markus Lorch Subject: Re: [OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Markus,
I'm not able to open that file - it seems to be a pdf, but gridforge has it wrapped up as plain text. Could you fix it?
Thanks, Tom
Markus Lorch wrote:
Hi All,
I have written a document for the OGSA AuthZ WG that discribes how we use obligations in the privilege project for the Open Science Grid. I have uploaded the document to grid forge at
/projects/ogsa-authz/document/SAML-Obligation-Extensions-used- in-OSG/en/1.
In short I decided to follow David's proposal for an ObligatedAuthorizationDecisionStatement but used the "Obligation" element as an extension point. I
an XACML Obligation. (others could choose to implement PonderObligation)
I found that all the obligations I want to convey are naturally expressed as attribute assignments (see examples in the document). While
semantic negotiation issues (which we also have for standard attributes) I like the possible integration path with XACML over SAML and
which I can define an obligation in an XACML policy and have it with no effort appear in the decision statement.
I continue to believe that we should move away from the SAML Authorization Decision Statement towards the use of XACML over SAML in
then implemented there may be the ease with the long run.
(see my email from Sept. 23, 2004)
I won't be able to attend GGF13. Hope y'all have a great meeting
Markus
---------------------------------------------------------------- Markus Lorch Department of Computer Science Phone: +1 540 231 5914 Virginia Tech, m/c 106 Fax: +1 540 231 6075 Blacksburg, VA 24061, U.S.A. http://people.cs.vt.edu/~mlorch
Apparently this version of the PDF had some formatting issues and cut of some of the characters, thus I made yet another PDF and uploaded it: https://forge.gridforum.org/projects/ogsa-authz/document/SAML-Obligation-Ext ensions-used-in-OSG/en/3 Maybe it would be easier if interested parties looked directly at the source document of OSG: https://plone3.fnal.gov/opensciencegrid/techgroups/tg-policy/vo-privilege/sa ml-with-obligations/document_view Markus
-----Original Message----- From: owner-ogsa-authz@ggf.org [mailto:owner-ogsa-authz@ggf.org] On Behalf Of Markus Lorch Sent: Tuesday, February 22, 2005 9:41 AM To: 'Tom Barton'; ogsa-authz@ggf.org Subject: RE: [OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Sorry guys, I must have selected the wrong file type originally. A new version (PDF) with the appropriate filetype is at https://forge.gridforum.org/projects/ogsa-authz/document/SAML- Obligation-Ext ensions-used-in-OSG/en/2
or alternatively: http://tinyurl.com/5uuke
Markus
-----Original Message----- From: Tom Barton [mailto:tbarton@uchicago.edu] Sent: Tuesday, February 22, 2005 7:23 AM To: Markus Lorch Subject: Re: [OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Markus,
I'm not able to open that file - it seems to be a pdf, but gridforge has it wrapped up as plain text. Could you fix it?
Thanks, Tom
Markus Lorch wrote:
Hi All,
I have written a document for the OGSA AuthZ WG that discribes how we use obligations in the privilege project for the Open Science Grid. I have uploaded the document to grid forge at
/projects/ogsa-authz/document/SAML-Obligation-Extensions-used- in-OSG/en/1.
In short I decided to follow David's proposal for an ObligatedAuthorizationDecisionStatement but used the "Obligation" element as an extension point. I
an XACML Obligation. (others could choose to implement PonderObligation)
I found that all the obligations I want to convey are naturally expressed as attribute assignments (see examples in the document). While
semantic negotiation issues (which we also have for standard attributes) I like the possible integration path with XACML over SAML and
which I can define an obligation in an XACML policy and have it with no effort appear in the decision statement.
I continue to believe that we should move away from the SAML Authorization Decision Statement towards the use of XACML over SAML in
then implemented there may be the ease with the long run.
(see my email from Sept. 23, 2004)
I won't be able to attend GGF13. Hope y'all have a great meeting
Markus
---------------------------------------------------------------- Markus Lorch Department of Computer Science Phone: +1 540 231 5914 Virginia Tech, m/c 106 Fax: +1 540 231 6075 Blacksburg, VA 24061, U.S.A. http://people.cs.vt.edu/~mlorch
participants (1)
-
Markus Lorch