Shibboleth Developers

[Von Welch <>]

David L. Wasley writes (10:08 January 13, 2004):
 > I think we're seeing the fog lift somewhat...
 > -----
 > At 11:37 AM -0600 on 1/13/04, Von Welch wrote:
 > 
 > >David,
 > >
 > >  A couple key points that I believe differiate VOs from Os (yes, you
 > >can find exceptions to all these, but I believe these are the
 > >predominate rules):
 > >
 > >  * In a VO every user is a member of a O - i.e. their "home
 > >organization" different from the VO. Typically VO members will be
 > >members of multiple Organzations (i.e. they won't all be from the same
 > >organization).
 > 
 > Yes, but what is the significance of that?  One is that they might be 
 > able to use identifiers issued by their "home organization."  Are 
 > their activities sponsored/funded by the "home organization" and thus 
 > the HO becomes a party to the VO?  Is there a liability incurred by 
 > the HO as a result?

More your first item, these folks typically have identities and
attribute issued by their HOs, which if they assertable outside their
HO that can be leveraged by the VO.

 > People may be members of more than one organization so what makes the 
 > one particular O an HO in this context?  For example, a Physics 
 > professor at UC Berkeley who is also a member of the staff at LLNL. 
 > What's the HO?  Why?

I'm using HO as a term of convenience for a organization that can
assert a "large" amount of information about a person. A person could
have more than one HO.

 > >  * In practice VOs often do not have the resources and/or expertise to
 > >run security services in a production manner. A typical scientific VO
 > >is a half-dozen professors, their grad students and maybe a handfull
 > >of full-time staff, all of whom are much more interested in their
 > >science than running production services. Remember the party that
 > >ultimately decides whether or not an AA is "production enough" is not
 > >the VO, but the organizations contributing resources, some of whom may
 > >have high standards.
 > 
 > Yes - exactly.  However, I would argue that this isn't "virtual" per 
 > se, only an organization that borrows support services from other 
 > organizations.  I'm reminded of Mistletoe ...
 > 
 > Still, to the extent that the VO pays for (read outsources) this 
 > support, it is a "real" organization - merely with low physical 
 > overhead.

Well, VO has been beaten into my brain for too long now, so I suggest
we just translate instead of argue.

 > >  * While a large VO may have some small physical presence and pay some
 > >salaries, typically most of it's members are hosted by their home
 > >organization.
 > >
 > >>  So here's maybe the bottom line for the class of VO-like groups: can
 > >>  they "borrow" use of an AA from an existing organization?  In other
 > >>  words, they "borrow" office space, local human identifiers, machine
 > >>  room space, secretarial help, etc. etc.  In order to manage access to
 > >>  their on-line resources, they may need to "borrow" AuthZ support from
 > >>  somewhere.
 > >
 > >Yes I think this summarizes it.
 > >
 > >In some cases it will make sense for a VO to run its own AA, some
 > >large VOs today do just that. The European Data Grid comes to mind,
 > >and it is a large VO - multi-country, multi-year, staff in the dozens.
 > >
 > >Hoever, many VOs are not so large. For example here in the states
 > >there are several DOE Grids for which they have already established a
 > >CA for identity assertions run by ESNet (www.doegrids.org), with RAs
 > >established by each VO. So the VOs vet but ESNet asserts identity. The
 > >thinking is begining on how a similar authz service could be run for
 > >these VOs.
 > 
 > The Feds have a concept of "credential service provider" (*) which 
 > could certainly be expanded to "identity service provider" (awkward 
 > acronym!).  So the VO above could vet not only the basic user 
 > "credential" but could provide attributes as well that would be 
 > stored at the ESNET CA site and offered by an ESNET AA.  This would 
 > avoid the need to add info fields to the AA's at all VO participant 
 > O's.

Right. And I suspect with ESNet that will probably happen. And it very
possible that a similar site will emerge on the NSF site to serve NSF
Grids. So it may very well be that the model of Grids leveraging using
Shib servers at a bunch of higher ed sites.

But putting that model aside, even if a site emerges to run the AA for
Grids, Shib would be a good technology to deploy, assuming the details
of a non-web browser use case get worked out. I believe my use case
covers this as well.

Von


 > >
 > >You brought up some points earlier about privacy and scalability and I
 > >agree this are issues. I think in practice sites will decide these as
 > >trade offs - e.g. if a VO decides to "borrow" authz from a O it trades
 > >off privacy for outsourcing.
 > >
 > >Von
 > >
 > 
 >      David
 > 
 > (*) The CSP is assumed to provide only a reliable and unique token 
 > bound to a specific but otherwise unidentified individual.  The ISP 
 > would actually know some reliable and useful information (attributes) 
 > about the individual.
 >