MSO and multiple communities

[Tony Linde]

> Suppose user U joins community A. Service providers X and Y 
> trust A, therefore accept requests from U(A). Service 

I'm not sure I know what you mean by trust. 

I would have thought trust was to do with authentication. You authenticate
yourself to the server to which you sign on and rely on that server being
trusted by downstream servers.

If you mean privileges, these reside in the groups. If a person is a member
of a group then they have the privileges of that group. That may include
access to data, storage rights at a given location etc.

How a (data, storage, etc) service knows that it can trust some request that
says that the person belongs to a privileged group is another issue, but it
still has nothing to do with communities.

Cheers,
Tony. 

> -----Original Message-----
> From: owner-grid at eso.org [mailto:owner-grid at eso.org] On 
> Behalf Of Guy Rixon
> Sent: 06 July 2004 13:52
> To: Tony Linde
> Cc: grid at ivoa.net
> Subject: RE: MSO and multiple communities
> 
> Pure SSO has a problem if service providers are picky about 
> which communities they trust.
> 
> Suppose user U joins community A. Service providers X and Y 
> trust A, therefore accept requests from U(A). Service 
> provider Z doesn't trust A but does trust community B. 
> Therefore, U joins B as well and Z accepts requests from 
> U(B). U then needs to combine X, Y and Z in one workflow and 
> therefore needs to be U(A) and U(B) at the same time.
> 
> 
> On Tue, 6 Jul 2004, Tony Linde wrote:
> 
> > Is there any reason why we would want to implement MSO?
> >
> > To my mind it adds nothing that cannot be achieved with 
> groups since 
> > anyone can be made a member of a group regardless of the 
> community to 
> > which they first registered. And it introduces the complexity of 
> > trying to recognise where multiple accounts belong to the 
> same person 
> > and reconciling the privileges associated with each account.
> >
> > There won't be anything to stop a person having more than 
> one account 
> > but if they do so they can only use the privileges associated with 
> > their sign-on account - under SSO that is. I suppose that 
> if there is 
> > a later need for MSO recognised then it is something that 
> can be added onto the VObs standards.
> > But if we implement MSO, there'll be no going back to SSO - 
> and it'll 
> > take a lot more to design it right and get it working I 
> would have thought.
> >
> > Can anyone think of use cases which demonstrate an advantage to MSO?
> >
> > > to federate communities and to allow credentials for an 
> SSO session 
> > > to be collected from more than one server.
> >
> > How do these relate to SSO vs MSO? (My apologies if these 
> have already 
> > been discussed - I've been tied up recently - point me at 
> past threads 
> > if so.)
> >
> > Cheers,
> > Tony.
> >
> > > -----Original Message-----
> > > From: owner-grid at eso.org [mailto:owner-grid at eso.org] On Behalf Of 
> > > Guy Rixon
> > > Sent: 06 July 2004 12:17
> > > To: grid at ivoa.net
> > > Subject: MSO and multiple communities
> > >
> > > In light of Tony's last message, I ask the group whether 
> we are to 
> > > proceed with the abilities to have accounts at more than one 
> > > community, to federate communities and to allow 
> credentials for an 
> > > SSO session to be collected from more than one server. If 
> not, then 
> > > the nature of the system is changed; some processes are 
> simplified 
> > > and some are made impossible.
> > >
> > > I don't mind changing tack if there is consensus, but I 
> need to know 
> > > which way we're going before I finish the SSO document-set.
> > >
> > > Cheers,
> > > Guy
> > >
> > > Guy Rixon 				        
> gtr at ast.cam.ac.uk
> > > Institute of Astronomy   	                Tel: +44-1223-337542
> > > Madingley Road, Cambridge, UK, CB3 0HA		Fax:
> > > +44-1223-337523
> > >
> >
> 
> Guy Rixon 				        gtr at ast.cam.ac.uk
> Institute of Astronomy   	                Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA		Fax: 
> +44-1223-337523
>