Shibboleth Developers

["David L. Wasley" <>]

I think we're seeing the fog lift somewhat...
-----
At 11:37 AM -0600 on 1/13/04, Von Welch wrote:

> David,
>
>  A couple key points that I believe differiate VOs from Os (yes, you
> can find exceptions to all these, but I believe these are the
> predominate rules):
>
>  * In a VO every user is a member of a O - i.e. their "home
> organization" different from the VO. Typically VO members will be
> members of multiple Organzations (i.e. they won't all be from the same
> organization).

Yes, but what is the significance of that?  One is that they might be 
able to use identifiers issued by their "home organization."  Are 
their activities sponsored/funded by the "home organization" and thus 
the HO becomes a party to the VO?  Is there a liability incurred by 
the HO as a result?

People may be members of more than one organization so what makes the 
one particular O an HO in this context?  For example, a Physics 
professor at UC Berkeley who is also a member of the staff at LLNL. 
What's the HO?  Why?

>  * In practice VOs often do not have the resources and/or expertise to
> run security services in a production manner. A typical scientific VO
> is a half-dozen professors, their grad students and maybe a handfull
> of full-time staff, all of whom are much more interested in their
> science than running production services. Remember the party that
> ultimately decides whether or not an AA is "production enough" is not
> the VO, but the organizations contributing resources, some of whom may
> have high standards.

Yes - exactly.  However, I would argue that this isn't "virtual" per 
se, only an organization that borrows support services from other 
organizations.  I'm reminded of Mistletoe ...

Still, to the extent that the VO pays for (read outsources) this 
support, it is a "real" organization - merely with low physical 
overhead.

>  * While a large VO may have some small physical presence and pay some
> salaries, typically most of it's members are hosted by their home
> organization.
>
> >  So here's maybe the bottom line for the class of VO-like groups: can
> >  they "borrow" use of an AA from an existing organization?  In other
> >  words, they "borrow" office space, local human identifiers, machine
> >  room space, secretarial help, etc. etc.  In order to manage access to
> >  their on-line resources, they may need to "borrow" AuthZ support from
> >  somewhere.
>
> Yes I think this summarizes it.
>
> In some cases it will make sense for a VO to run its own AA, some
> large VOs today do just that. The European Data Grid comes to mind,
> and it is a large VO - multi-country, multi-year, staff in the dozens.
>
> Hoever, many VOs are not so large. For example here in the states
> there are several DOE Grids for which they have already established a
> CA for identity assertions run by ESNet (www.doegrids.org), with RAs
> established by each VO. So the VOs vet but ESNet asserts identity. The
> thinking is begining on how a similar authz service could be run for
> these VOs.

The Feds have a concept of "credential service provider" (*) which 
could certainly be expanded to "identity service provider" (awkward 
acronym!).  So the VO above could vet not only the basic user 
"credential" but could provide attributes as well that would be 
stored at the ESNET CA site and offered by an ESNET AA.  This would 
avoid the need to add info fields to the AA's at all VO participant 
O's.

> You brought up some points earlier about privacy and scalability and I
> agree this are issues. I think in practice sites will decide these as
> trade offs - e.g. if a VO decides to "borrow" authz from a O it trades
> off privacy for outsourcing.
>
> Von

        David

(*) The CSP is assumed to provide only a reliable and unique token 
bound to a specific but otherwise unidentified individual.  The ISP 
would actually know some reliable and useful information (attributes) 
about the individual.