Closed paulmillar closed 8 months ago
msalle
commented
1 year ago I think the only thing we really need is a administrative body that has control over the scope/namespace of the attributes used in a certain token. Perhaps we can formulate the definition of VO around that, and make it much more abstract. I feel we otherwise use a lot of specifics and unnecessary baggage from the VOMS era while a more abstract definition is probably sufficient. See #28 of what I mean with scope/namespace.
paulmillar
commented
1 year ago Hi @msalle , I think you're right about "administrative body that has control over the scope/namespace of the attributes".
I think this is related to the idea of VOs having their own, independent identity. In the current definition, there are a few places that hint at this (e.g., the phrase "a group of users that are independently managed" and "A VO has well understood membership criteria, which the members of the VO manage themselves"). Perhaps we could rephrase this to make it clearer.
I'm a little nervous about defining VOs in terms of what they can do (under current technology) because 1) technology changes, and 2) I think it risks putting the cart before the horse: use-cases (along with corresponding definitions) should drive technology, rather than the other way around.
Perhaps we could phrase your "VOs have authority on asserted attributes" (if I've captured that correctly) more as a consequence of our definition of a VO?
msalle
commented
1 year ago Hi @msalle , I think you're right about "administrative body that has control over the scope/namespace of the attributes".
I think this is related to the idea of VOs having their own, independent identity. In the current definition, there are a few places that hint at this (e.g., the phrase "a group of users that are independently managed" and "A VO has well understood membership criteria, which the members of the VO manage themselves"). Perhaps we could rephrase this to make it clearer.
I'm a little nervous about defining VOs in terms of what they can do (under current technology) because 1) technology changes, and 2) I think it risks putting the cart before the horse: use-cases (along with corresponding definitions) should drive technology, rather than the other way around.
Perhaps we could phrase your "VOs have authority on asserted attributes" (if I've captured that correctly) more as a consequence of our definition of a VO?
I think it's kind of the reverse: I think we shouldn't try to define a VO since there are many different interpretations/meanings/definitions going around and ultimately we don't need the concept in the document (also we should not try to/don't need to reformulate the X509/RFC3820/VOMS model in terms of tokens, so we don't per se need all the old concepts). What we need is the administrative body having the authority on the asserted attributes. So maybe we can just remove the whole term VO from the document?
paulmillar
commented
1 year ago So we would update the document by adding something like
An attribute authority is a group of people who are authoritative in asserting group membership and authorisation statements. An attribute authority may have policies that restrict who can make such assertions. In several scientific communities, the attribute authority is called a virtual organisation (VO).
We would also replace all mentions of "VO" with "attribute authority".
msalle
commented
1 year ago So we would update the document by adding something like
An attribute authority is a group of people who are authoritative in asserting group membership and authorisation statements. An attribute authority may have policies that restrict who can make such assertions. In several scientific communities, the attribute authority is called a virtual organisation (VO).
We would also replace all mentions of "VO" with "attribute authority".
That sounds quite reasonable. I would make it even a bit more abstract and replace "a group of people who are" with "an entity that is".
maarten-litmaath
commented
10 months ago Hi all, I have just submitted #47 with an alternative VO definition and description, for several reasons:
What do you think?
maarten-litmaath
commented
8 months ago Superseded by #47 .
Motivation:
The document makes many references to VOs but neither defining for what "VO" stands, nor describing what is a virtual organisation.
This is bad because the document makes a destinction between VOs (as top-level collection of users) and group (as non-top-level collection of useres), so the definition matters.
Modification:
Modify first paragraph to use "virtual organisation" instead of VO.
Add definition of a VO.
Result:
It becomes easier to understand whether a group of people constitute a VO.
Closes: #38