shibboleth-dev - Re: Fwd: More detailed Grid scenarios
Subject: Shibboleth Developers
List archive
- From: "David L. Wasley" <>
- To: Von Welch <>
- Cc: Scott Cantor <>,
- Subject: Re: Fwd: More detailed Grid scenarios
- Date: Tue, 13 Jan 2004 10:08:39 -0800
I think we're seeing the fog lift somewhat...
-----
At 11:37 AM -0600 on 1/13/04, Von Welch wrote:
David,
A couple key points that I believe differiate VOs from Os (yes, you
can find exceptions to all these, but I believe these are the
predominate rules):
* In a VO every user is a member of a O - i.e. their "home
organization" different from the VO. Typically VO members will be
members of multiple Organzations (i.e. they won't all be from the same
organization).
Yes, but what is the significance of that? One is that they might be able to use identifiers issued by their "home organization." Are their activities sponsored/funded by the "home organization" and thus the HO becomes a party to the VO? Is there a liability incurred by the HO as a result?
People may be members of more than one organization so what makes the one particular O an HO in this context? For example, a Physics professor at UC Berkeley who is also a member of the staff at LLNL. What's the HO? Why?
* In practice VOs often do not have the resources and/or expertise to
run security services in a production manner. A typical scientific VO
is a half-dozen professors, their grad students and maybe a handfull
of full-time staff, all of whom are much more interested in their
science than running production services. Remember the party that
ultimately decides whether or not an AA is "production enough" is not
the VO, but the organizations contributing resources, some of whom may
have high standards.
Yes - exactly. However, I would argue that this isn't "virtual" per se, only an organization that borrows support services from other organizations. I'm reminded of Mistletoe ...
Still, to the extent that the VO pays for (read outsources) this support, it is a "real" organization - merely with low physical overhead.
* While a large VO may have some small physical presence and pay some
salaries, typically most of it's members are hosted by their home
organization.
So here's maybe the bottom line for the class of VO-like groups: can
they "borrow" use of an AA from an existing organization? In other
words, they "borrow" office space, local human identifiers, machine
room space, secretarial help, etc. etc. In order to manage access to
their on-line resources, they may need to "borrow" AuthZ support from
somewhere.
Yes I think this summarizes it.
In some cases it will make sense for a VO to run its own AA, some
large VOs today do just that. The European Data Grid comes to mind,
and it is a large VO - multi-country, multi-year, staff in the dozens.
Hoever, many VOs are not so large. For example here in the states
there are several DOE Grids for which they have already established a
CA for identity assertions run by ESNet (www.doegrids.org), with RAs
established by each VO. So the VOs vet but ESNet asserts identity. The
thinking is begining on how a similar authz service could be run for
these VOs.
The Feds have a concept of "credential service provider" (*) which could certainly be expanded to "identity service provider" (awkward acronym!). So the VO above could vet not only the basic user "credential" but could provide attributes as well that would be stored at the ESNET CA site and offered by an ESNET AA. This would avoid the need to add info fields to the AA's at all VO participant O's.
You brought up some points earlier about privacy and scalability and I
agree this are issues. I think in practice sites will decide these as
trade offs - e.g. if a VO decides to "borrow" authz from a O it trades
off privacy for outsourcing.
Von
David
(*) The CSP is assumed to provide only a reliable and unique token bound to a specific but otherwise unidentified individual. The ISP would actually know some reliable and useful information (attributes) about the individual.
- Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/13/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/13/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/14/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/13/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
Archive powered by MHonArc 2.6.16.