[OGSA-AUTHZ] Use of Obligations in the Privilege Project Authorizaiton Infrastructure for OpenScienceGrid
Markus Lorch
mlorch at vt.edu
Wed Feb 23 11:42:35 CST 2005
Apparently this version of the PDF had some formatting issues and cut of
some of the characters, thus I made yet another PDF and uploaded it:
https://forge.gridforum.org/projects/ogsa-authz/document/SAML-Obligation-Ext
ensions-used-in-OSG/en/3
Maybe it would be easier if interested parties looked directly at the
source document of OSG:
https://plone3.fnal.gov/opensciencegrid/techgroups/tg-policy/vo-privilege/sa
ml-with-obligations/document_view
Markus
> -----Original Message-----
> From: owner-ogsa-authz at ggf.org
> [mailto:owner-ogsa-authz at ggf.org] On Behalf Of Markus Lorch
> Sent: Tuesday, February 22, 2005 9:41 AM
> To: 'Tom Barton'; ogsa-authz at ggf.org
> Subject: RE: [OGSA-AUTHZ] Use of Obligations in the Privilege
> Project Authorizaiton Infrastructure for OpenScienceGrid
>
>
>
> Sorry guys, I must have selected the wrong file type originally.
> A new version (PDF) with the appropriate filetype is at
> https://forge.gridforum.org/projects/ogsa-authz/document/SAML-
> Obligation-Ext
> ensions-used-in-OSG/en/2
>
> or alternatively: http://tinyurl.com/5uuke
>
> Markus
>
>
> > -----Original Message-----
> > From: Tom Barton [mailto:tbarton at uchicago.edu]
> > Sent: Tuesday, February 22, 2005 7:23 AM
> > To: Markus Lorch
> > Subject: Re: [OGSA-AUTHZ] Use of Obligations in the Privilege
> > Project Authorizaiton Infrastructure for OpenScienceGrid
> >
> >
> > Markus,
> >
> > I'm not able to open that file - it seems to be a pdf, but
> > gridforge has
> > it wrapped up as plain text. Could you fix it?
> >
> > Thanks,
> > Tom
> >
> > Markus Lorch wrote:
> > > Hi All,
> > >
> > > I have written a document for the OGSA AuthZ WG that
> > discribes how we
> > > use obligations in the privilege project for the Open
> > Science Grid.
> > > I have uploaded the document to grid forge at
> > >
> > /projects/ogsa-authz/document/SAML-Obligation-Extensions-used-
> > in-OSG/en/1.
> > >
> > > In short I decided to follow David's proposal for an
> > > ObligatedAuthorizationDecisionStatement
> > > but used the "Obligation" element as an extension point. I
> > then implemented
> > > an
> > > XACML Obligation. (others could choose to implement
> > PonderObligation)
> > >
> > > I found that all the obligations I want to convey are
> > naturally expressed as
> > > attribute assignments (see examples in the document). While
> > there may be
> > > semantic negotiation issues (which we also have for
> > standard attributes) I
> > > like the possible integration path with XACML over SAML and
> > the ease with
> > > which
> > > I can define an obligation in an XACML policy and have it
> > with no effort
> > > appear in the decision statement.
> > >
> > > I continue to believe that we should move away from the
> > SAML Authorization
> > > Decision Statement towards the use of XACML over SAML in
> > the long run.
> > > (see my email from Sept. 23, 2004)
> > >
> > > I won't be able to attend GGF13. Hope y'all have a great meeting
> > >
> > > Markus
> > >
> > > ----------------------------------------------------------------
> > > Markus Lorch
> > > Department of Computer Science Phone: +1 540 231 5914
> > > Virginia Tech, m/c 106 Fax: +1 540 231 6075
> > > Blacksburg, VA 24061, U.S.A. http://people.cs.vt.edu/~mlorch
> > >
> >
>
More information about the ogsa-authz-wg
mailing list