[OGSA-AUTHZ] Updated version of VOMS Specification

Vincenzo Ciaschini vincenzo.ciaschini at cnaf.infn.it
Thu May 11 10:06:29 CDT 2006

Blair Dillaway wrote:
> Vincenzo,
> In reading this draft I've found a few places I believe would benefit
> from some additional clarification.
> (1) 3.1.1 - "As a consequence of this, in VOMS ACs the only
> admissible choice for the field is the baseCertificateID."
> You might re-write this to say the holder field MUST include the
> baseCertificateID field and omit the entityName and objectDigestInfo
> fields. The syntax defines a sequence of 3 optional fields, not a
> choice.
But the RFC recommends that only one should be used. Done.

> (2) - "Where <root group> is by convention the name of the
> virtual organization."
> The document seems to imply this is a required encoding for
> interoperability purposes. If so, its not just a convention. You
> should clarify if this is a MUST, SHOULD, or RECOMMENDED encoding.
Right, done.
> (3) - "Future compatibility issue: It is possible that in the
> future a /Role=NULL component may be omitted in its entirety.  The
> same goes for a /Capability=NULL part.  Conforming applications
> SHOULD be prepared to handle these cases."
> The previous paragraph states "The /Capability=<capability name> part
> is deprecated....". If so, I assume conforming implementations SHOULD
> always omit the /Capability part whether or not its null. Having it
> be deprecated and noting it may disappear in the future seem to be in
> conflict.
Unfortunately, that is the besr that ca be done for the moment, since it 
should continue to be included until the software out there has has a 
reasonable chance to change its implementation not to rely on it. 
Obviously, this come free if the official APIs are used.

> Also the statement that /Role=NULL *may* be omitted in the future
> seems to be in conflict with the examples in The compact
> format shown does omit Role=NULL. If this is allowed, then the 'in
> the future' qualification should be removed. It should be stated if
> the compact format is recommended, required, or simply a supported
> encoding option.
The intent of the sentence is to state that applications interested in 
reading the date should deal with the case that the field could be empty.

> (4) - "A name-specific syntax that encodes multiple values in
> a single pair is also allowed."
> Examples of a single value and multiple value encoding would be
> helpful here. The syntax in indicates a Tag includes only a
> single name, value, and qualifier field. I assume how multiple values
> are encoded into the value field should be specified for interop
> purposes.
As said, it is name-specific, meaning that each attribute can choose its 
own way.

> Regards, Blair

>> -----Original Message----- From: owner-ogsa-authz at ggf.org 
>> [mailto:owner-ogsa-authz at ggf.org] On Behalf Of Vincenzo Ciaschini 
>> Sent: Friday, April 28, 2006 6:34 AM To: ogsa Authz Subject:
>> [OGSA-AUTHZ] Updated version of VOMS Specification
>> Hi to All,
>> This is the updated document about VOMS specification I promised
>> yesterday.
>> Apart from a few minor language clarifications, the main changes
>> are in the following sections:
>> 3.4.1  clarifications about the syntax of FQANs. 3.4.2  rewritten,
>> with a (slight) change in format. 3.5.1  explanation rewritten.
>> The previous explanation was the exact opposite of the truth. OOPS!
>> Also, the AC example in section5 has been substituted with a more
>> complete one.
>> Bye, Vincenzo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: VOMSACv7.doc
Type: application/msword
Size: 186880 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/ogsa-authz-wg/attachments/20060511/eb83461d/attachment.doc 

More information about the ogsa-authz-wg mailing list