MSO and multiple communities

[Guy Rixon]

On Tue, 6 Jul 2004, Dave Morris wrote:

> Guy Rixon wrote:
>
> >>However, there is a useability problem with this model.
> >>a) The user needs to be aware of what membership warrants are required
> >>for which actions and selects them when designing a workflow.
> >>
> >>
> >
> >This would be a policy look-up on the registry.
> >
> >
> Yep, not a technical problem, more of a useability one,

Maybe not for end users.  The user agent (e.g. web-portal session, not web
browser) should hide this.  End users don't see it.  User-programmers might.

> > [words about pull models for warrants]
> >
> Yep, I havn't figured out a way to avoid this.
> As long as the messages are small and the response is quick, then is
> this really a problem ?

It's OK so long as the community services are rarely off-line.  A bit of
caching at the enquiring services might help.

> >Con: user agent has to associate the same key pair with all the communities
> >=> user agent has to log in to each community at the start of the session
> >=> use ragent has to know which communities are relevant.
> >
> >
> Not sure what you mean here.

The message to the service is signed with a private key.  The matching public
key has to appear in all the warrants, otherwise they are not applicable to
that message.  That means that the user agent has to log in to all the
communities at the start of the session and arrange to use the same public key
for that session. It's not a showstopper.

BTW, Shibboleth uses the pull system and we'd be part way to Shib
compatability if we had one too.  (Except that Shib uses SAML.)  But
Shibboleth has one big difference: it assumes that there is a user present
with a web browser s.t. the system can prompt for sign-ons as needed.  That
doesn't work for our web services.


Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523