Shibboleth Developers

[Von Welch <>]

David,

 A couple key points that I believe differiate VOs from Os (yes, you
can find exceptions to all these, but I believe these are the
predominate rules):

 * In a VO every user is a member of a O - i.e. their "home
organization" different from the VO. Typically VO members will be
members of multiple Organzations (i.e. they won't all be from the same
organization).

 * In practice VOs often do not have the resources and/or expertise to
run security services in a production manner. A typical scientific VO
is a half-dozen professors, their grad students and maybe a handfull
of full-time staff, all of whom are much more interested in their
science than running production services. Remember the party that
ultimately decides whether or not an AA is "production enough" is not
the VO, but the organizations contributing resources, some of whom may
have high standards.

 * While a large VO may have some small physical presence and pay some
salaries, typically most of it's members are hosted by their home
organization.

> So here's maybe the bottom line for the class of VO-like groups: can
> they "borrow" use of an AA from an existing organization?  In other
> words, they "borrow" office space, local human identifiers, machine
> room space, secretarial help, etc. etc.  In order to manage access to
> their on-line resources, they may need to "borrow" AuthZ support from
> somewhere.

Yes I think this summarizes it.

In some cases it will make sense for a VO to run its own AA, some
large VOs today do just that. The European Data Grid comes to mind,
and it is a large VO - multi-country, multi-year, staff in the dozens.

Hoever, many VOs are not so large. For example here in the states
there are several DOE Grids for which they have already established a
CA for identity assertions run by ESNet (www.doegrids.org), with RAs
established by each VO. So the VOs vet but ESNet asserts identity. The
thinking is begining on how a similar authz service could be run for
these VOs.

You brought up some points earlier about privacy and scalability and I
agree this are issues. I think in practice sites will decide these as
trade offs - e.g. if a VO decides to "borrow" authz from a O it trades
off privacy for outsourcing.

Von

David L. Wasley writes (15:22 January 12, 2004):
 > That's a good example, and the answer is basically "nothing."  In fact 
 > that example has come up in the context of PKI credentials - why not 
 > simply use whatever cert a student has when they come to campus instead of 
 > issuing them a new, campus cert?
 > 
 > If you decompose the problem of access management into (1) having some 
 > reliable digital token associated with a particular individual and (2) 
 > being able to use that token to obtain necessary and reliable information 
 > about that individual, then one can imagine outsourcing one, or even both, 
 > aspects.
 > 
 > WRT a reliable token - if it is outsourced, i.e. a token issued to someone 
 > by a different party, then I'd want to know how strong the binding is, how 
 > unique and persistent the token is, etc.  Given that it is reliable 
 > enough, I might choose to use it at least for some things, e.g. 
 > application for admission, or maybe lots of things.
 > 
 > WRT information associated with the token - I might choose to believe some 
 > things from an external party, e.g. human name, but not others, e.g. grade 
 > in Physics 101.  It's definitely the information for which the institution 
 > is authoritative that it wants to control.
 > 
 > As for VO versus O, the only distinction I can come up with is that it may 
 > not have a physical "home" (it camps out in existing homes :-).  It 
 > clearly has "history" and "records," it may have "legal standing," 
 > especially if it has "assets" or "liabilities."  It has some mechanism for 
 > deciding who is a member and when they are no longer a member (the "in's" 
 > vs the "out's").  It might even have money and pay salaries!
 > 
 > So here's maybe the bottom line for the class of VO-like groups: can they 
 > "borrow" use of an AA from an existing organization?  In other words, they 
 > "borrow" office space, local human identifiers, machine room space, 
 > secretarial help, etc. etc.  In order to manage access to their on-line 
 > resources, they may need to "borrow" AuthZ support from somewhere.
 > 
 > I'd love to hear from others about VO versus O ...
 > 
 >      David
 > -----
 > At 5:12 PM -0500 on 1/12/04, Scott Cantor wrote:
 > 
 > > > What am I missing?
 > >
 > >In my mind, there's nothing missing here except a meaningful distinction
 > >between VO and O. If I as a small community college want to outsource my
 > >authentication (but not authz) to some third party, how am I any different
 > >than a VO in your model?
 > >
 > >-- Scott
 >