shibboleth-dev - Re: Fwd: More detailed Grid scenarios
Subject: Shibboleth Developers
List archive
- From: Von Welch <>
- To: "David L. Wasley" <>
- Cc: Scott Cantor <>,
- Subject: Re: Fwd: More detailed Grid scenarios
- Date: Wed, 14 Jan 2004 20:09:22 -0600
David L. Wasley writes (10:08 January 13, 2004):
> I think we're seeing the fog lift somewhat...
> -----
> At 11:37 AM -0600 on 1/13/04, Von Welch wrote:
>
> >David,
> >
> > A couple key points that I believe differiate VOs from Os (yes, you
> >can find exceptions to all these, but I believe these are the
> >predominate rules):
> >
> > * In a VO every user is a member of a O - i.e. their "home
> >organization" different from the VO. Typically VO members will be
> >members of multiple Organzations (i.e. they won't all be from the same
> >organization).
>
> Yes, but what is the significance of that? One is that they might be
> able to use identifiers issued by their "home organization." Are
> their activities sponsored/funded by the "home organization" and thus
> the HO becomes a party to the VO? Is there a liability incurred by
> the HO as a result?
More your first item, these folks typically have identities and
attribute issued by their HOs, which if they assertable outside their
HO that can be leveraged by the VO.
> People may be members of more than one organization so what makes the
> one particular O an HO in this context? For example, a Physics
> professor at UC Berkeley who is also a member of the staff at LLNL.
> What's the HO? Why?
I'm using HO as a term of convenience for a organization that can
assert a "large" amount of information about a person. A person could
have more than one HO.
> > * In practice VOs often do not have the resources and/or expertise to
> >run security services in a production manner. A typical scientific VO
> >is a half-dozen professors, their grad students and maybe a handfull
> >of full-time staff, all of whom are much more interested in their
> >science than running production services. Remember the party that
> >ultimately decides whether or not an AA is "production enough" is not
> >the VO, but the organizations contributing resources, some of whom may
> >have high standards.
>
> Yes - exactly. However, I would argue that this isn't "virtual" per
> se, only an organization that borrows support services from other
> organizations. I'm reminded of Mistletoe ...
>
> Still, to the extent that the VO pays for (read outsources) this
> support, it is a "real" organization - merely with low physical
> overhead.
Well, VO has been beaten into my brain for too long now, so I suggest
we just translate instead of argue.
> > * While a large VO may have some small physical presence and pay some
> >salaries, typically most of it's members are hosted by their home
> >organization.
> >
> >> So here's maybe the bottom line for the class of VO-like groups: can
> >> they "borrow" use of an AA from an existing organization? In other
> >> words, they "borrow" office space, local human identifiers, machine
> >> room space, secretarial help, etc. etc. In order to manage access to
> >> their on-line resources, they may need to "borrow" AuthZ support from
> >> somewhere.
> >
> >Yes I think this summarizes it.
> >
> >In some cases it will make sense for a VO to run its own AA, some
> >large VOs today do just that. The European Data Grid comes to mind,
> >and it is a large VO - multi-country, multi-year, staff in the dozens.
> >
> >Hoever, many VOs are not so large. For example here in the states
> >there are several DOE Grids for which they have already established a
> >CA for identity assertions run by ESNet (www.doegrids.org), with RAs
> >established by each VO. So the VOs vet but ESNet asserts identity. The
> >thinking is begining on how a similar authz service could be run for
> >these VOs.
>
> The Feds have a concept of "credential service provider" (*) which
> could certainly be expanded to "identity service provider" (awkward
> acronym!). So the VO above could vet not only the basic user
> "credential" but could provide attributes as well that would be
> stored at the ESNET CA site and offered by an ESNET AA. This would
> avoid the need to add info fields to the AA's at all VO participant
> O's.
Right. And I suspect with ESNet that will probably happen. And it very
possible that a similar site will emerge on the NSF site to serve NSF
Grids. So it may very well be that the model of Grids leveraging using
Shib servers at a bunch of higher ed sites.
But putting that model aside, even if a site emerges to run the AA for
Grids, Shib would be a good technology to deploy, assuming the details
of a non-web browser use case get worked out. I believe my use case
covers this as well.
Von
> >
> >You brought up some points earlier about privacy and scalability and I
> >agree this are issues. I think in practice sites will decide these as
> >trade offs - e.g. if a VO decides to "borrow" authz from a O it trades
> >off privacy for outsourcing.
> >
> >Von
> >
>
> David
>
> (*) The CSP is assumed to provide only a reliable and unique token
> bound to a specific but otherwise unidentified individual. The ISP
> would actually know some reliable and useful information (attributes)
> about the individual.
>
- Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/13/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/13/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/14/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/13/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/12/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- Re: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- Re: Fwd: More detailed Grid scenarios, Von Welch, 01/16/2004
- RE: Fwd: More detailed Grid scenarios, David L. Wasley, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
- RE: Fwd: More detailed Grid scenarios, Scott Cantor, 01/15/2004
Archive powered by MHonArc 2.6.16.