These "VOMS extensions" you keep referring to are actually X.509 Attribute Certificates that are well-defined in an IETF RFC and refined by the OGSA-Authz VOMS doc. You should call them "VOMS-style ACs" (since they can be constructed by an authn authority other than an actual VOMS server.). Section 7.1.1 needs to be about defining a shared semantics between attribute documents (specifically VOMS-style ACs and a new PGI definition of equivalent SAML attribute assertions), which is something that the strawman doc already does in gory detail. (Although it needs an updating to reflect the proper authentication of SAML attribute assertions by Proxy Certificates -- the idealized Genesis II credentialing mechanism.) Duane On 3/25/09, Vincenzo Ciaschini <vincenzo.ciaschini@cnaf.infn.it> wrote:
Etienne URBAH wrote:
Duane,
Thank you for your comments. Please find the original text and my answers inline.
Beyond that :
7.9) Semantics and syntax of VOMS extensions and Restriction attributes ----------------------------------------------------------------------- I would like to describe (for example in new section 7.9) the semantics and syntax of a RESTRICTED list of VOMS extensions and Restriction attributes that all grid clients MAY use and that all grid services MUST understand.
Does anybody have links to such lists ?
- For VOMS extension, the example below gives : VO, subject, issuer, attribute, timeleft, uri Just for clarity: attribute is indeed a list of attributes. There may be more than one.
Also, information from more than one VO may be present.
- For other attributes, here is something springing out from my imagination, with semantics and syntax (please criticize) : - Assertion of identity : ID:<FQAN> - Assertion of belonging to a group : GROUP:<FQAN> - Authorization to access a resource : ALLOW:<URI> - Interdiction to access a resource : DENY:<URI> - Authorization to read a file (or a folder, recursively : ALLOW_R:<URI> - Authorization to write into a file (or a folder, recursively : ALLOW_W:<URI> - Authorization to read and write into a file (or a folder, recursively : ALLOW_RW:<URI> Note that GLUE 2.0 recommends that the URI should be an URN.
I agree that we have to describe the full list of VOMS extensions with their meaning and syntax (or provide a link to the relevant VOMS specification).
How about this? https://forge.gridforum.org/sf/go/doc13797 (also referenced in the strawman doc)
If it is unclear, I'd love to receive comments.
Ciao, Vincenzo