[OGSA-AUTHZ] Use of IDList in Use of WS-TRUST and SAML to access a Credential Validation Service
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Oct 3 07:34:10 CDT 2008
Dear WG
at our last meeting in Singapore, on a suggestion from Tom Scavo, we
discussed changing from the GFD.66 SubjectAttributeReferenceAdvice
element to the SAML IDList element and I made the edits to our profile.
We have now been implementing this to see how it works in practice, and
we have encountered the following problem, namely that IDList only lists
attribute authorities and does not associate the attribute types that
they issue with these attribute authorities. GFD.66
SubjectAttributeReferenceAdvice on the other hand does associate AAs
with the attributes they issue.
The meeting suggested that the implementation can pick up the attribute
list from meta information of the AA, which indeed it can. However, this
does not allow a user to specify which attributes he wants to use ie.
provide the user with least privileges.
Consider a VOMS server in which a user has multiple attributes. The meta
information for the VOMS server will tell the CVS which attribute types
are supported by the VOMS AA. But it will not help the CVS to decide
which ones to ask for this user session, since the user is no able to
tell the CVS which ones he wants. With SubjectAttributeReferenceAdvice
the user was able to tell the CVS (indirectly via the PEP) which
attributes he wished to be picked up from where for this session. With
IDList the user is unable to tell the CVS.
I am therefore proposing that we revert back to the
SubjectAttributeReferenceAdvice element since it provides the user with
the least privileges control that he needs. On the user's grid job
request he adds the parameter "please pick up my attribute X from AA Y",
which the PEP can then transfer to the CVS in the
SubjectAttributeReferenceAdvice element. The CVS can perform the third
party query mode request to the AA for the specified attribute (using
the Use of SAML to retrieve Authorization Credentials profile), and if
the user does have attribute X, this can be validated by the CVS and fed
into the PDP.
regards
David
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list