Notes from Oct 16, 2003 OGSA-Authz Telecon (Andrew McNab, Von Welch)

Attending:
Von Welch
Bob Cowles
Andrew McNab
Markus Lorch
Rebekah Lepro
Bob Morgan
Frank Siebenlist
Mary Thompson



VW: Develop use cases for attribute document.
    Basic attributes for scientific community
    Probably small: grid specific stuff like VOs?

Mary: subgroups and roles too?
      eg NFC wants to diff between experiment groups, admininistrators
         and general VO membership

VW: enough equality across VOs

AM: VOMS has groups that you almost always have, and Roles that you have 
    to choose to pick up (in practice its rather like using a Unix machine 
    with AFS: you have a set of Unix groups and can also choose to get AFS 
   tokens associated with specific roles.)

BC and others: <Similar statements, general agreement on roles vs
attributes, usefulness of both>

Mary: have "charging" or "accounting" identity? in addition to groups

BC: Accounting ID better than Project ID, more clear.

VW: Brainstorming mode? people write what they think the Grid community 
    needs? VW will collate. Go through to try to decide what needs 
    specifying?

MT: Brainstorming likely to get too many ideas. 5.2 has a start at
this list. Clearance and Citizenship questionable

<Concensus that brainstorming bad idea>

RL: Those are important at NASA Ames.

VW: Start with list in 5.2?

ML: Would like to see capability in there, but need to define it
it in email.

MT: Start with EduPerson?

Markus: I want to describe capability more. Using role at the moment.
        Used to call it privilege, but capability clearer.

Mary: worth going through eduPerson and inetOrgPerson and identify what
      is useful?

VW: aim for If you want to express This, please do it That way.

Markus: want to be able to give other users a statement that they can
        do something

VW: quite like CAS. how to express this kind of thing: an attribute or
    something else? Attribute is abstracted so relying party can process 
    is how it likes.

Markus: problem is relying party needs to understand what to do with it.
        need infrastructure, to set up policy on resources etc. 
        Distinction between subject and resource attributes and policies.

Mary: value of capability much more complicated than of a group, but
      does that matter? need a language to express, just like conditions

Rebeka: do we have a clear concensus on how to use attributes, capabilies
        decisions etc? maybe need to redraw/clarify

AM: distinction between what's "vo level" like groups, and what needs
    understanding of resource

RL: Differientiate between what is being shipped around and how
(e.g. SAML Assertions and Statements)

<General concensus reached on difference between what is being shipped
around and how>

MT: Entitlement is authorization policy shipped in assertion.

ML: Will take on writing on entitlements section for attributes document

RL, VW: <Offers to help Markus.>

VW: Back to attributes, should we look at eduPerson?

MT: eduPerson designed for directories and not people

BC: Shouldn't constrain value of clearance, may be string or may be
more complicated.

VW: Is clearance useful if we can say what it's values are? (Lots of
people have own values already)

MT: Will flush out what is in 5.2, look at EduPerson for ideas.

End Telecon.