Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Thu, 22 Oct 2015 10:36:04 +0100

Hi Heather

I have read your wiki and thanks for putting it together. However, I
think you miss a fundamental point in your article, unless I have
misread it. You say that attribute release is a fundamental requirement,
but I don't see it quite that way. I dont think that IdPs will ever
release the right set of attributes for VOs. Why? Because they are
unable to. They dont know the right roles to assign to the various VO
participants in the first place. Only the VO managers know this. And
IdPs wont let VO managers update user attributes in their database. So
if IdPs dont know which attributes users should be assigned, they can
never release them, even if they were willing to.

For this reason I think we need a VO service that will allow the VO
managers themselves to add assign the right roles to the VO users, and
that RPs are given the right tools to seamlessly integrate the
attributes/roles from the VO service with the authentication and limited
attribute assertions from the IdP. In this way IdPs dont need to change.
Attribute release is no longer the problem. Instead VO attribute
assignment and aggregation replaces it.

I believe that this is what Comanage and our VO work in Openstack are
both doing.



On 21/10/2015 23:53, Heather Flanagan wrote:
> Hello all,
> I've drafted up a short wiki page on the topic of challenges in the VO
> space. Basically, it's an expansion on my presentation at the REFEDS
> meeting earlier this month at Internet2's TechX.
> You can find the write up here:
> Feedback is of course encouraged and welcomed!
> -Heather