<div dir="ltr"><div>Hi Giuliano and all,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 5, 2019 at 8:58 AM Giuliano Taffoni <<a href="mailto:giuliano.taffoni@inaf.it">giuliano.taffoni@inaf.it</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
In practice, I expect that on Site A a user delegates its credential to a service that then contacts a GMS on Site B. The GMS extracts from the CDP (actually X509 based) the identity (dn) and authorizes the service to search for groups.<br>
That means that the GMS at site B is aware of the user identity to proceed with the authentication. Am I right?<br></blockquote><div><br></div><div>In your example, I don't think site B needs to be aware or interpret the identity of the calling user. It knows the user has authenticated (that's inherent with client certificates) and now only needs to ask its GMS implementation about the group memberships for the DN representing that user. So, as long as site B trusts the user's certificate signing authority then no prior arrangements between the two sites need to be made.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I am a bit sceptical in implementing (or proposing ) a standard that requires a predefined trust arrangement, so method 2.<br></blockquote><div><br></div><div>Yes, me too. And since we haven't heard from working group about this it seems it's not likely a required use case.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Then it is not clear to me is what happens if we keep Method 2 as it is (i.e. optional), should we provide anyway the identity and the identityType which as you said it is not part of this specific document?<br></blockquote><div><br></div><div>Yes I would say that another standard would need to address how user identities are described.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On the other side, if we rely on CDP identity, it is mandatory to start working on a new CDP standard that provides support also for other methods than X.509. And in my opinion, this is where we should put some efforts.<br>
<br>
So I am in favour of:<br>
Method 1 is mandatory and recommended and only<br>
Client services must implement CDP.<br>
We work to extend CDP capabilities (who? :-) )<br></blockquote><div><br></div><div>I think you're right about this, and it will allow us to move forward with the working draft. Could you please add this to the agenda for Thursday's telecon?</div><div><br></div><div>Cheers,</div><div>Brian</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
> On 17 Oct 2019, at 18:54, Brian Major <<a href="mailto:major.brian@gmail.com" target="_blank">major.brian@gmail.com</a>> wrote:<br>
> <br>
> Dear GWS,<br>
> <br>
> At the interop in Groningen I presented the current state of the Group Membership Service (GMS) working draft. In that presentation I explained how a decision on the inclusion of the "identity" parameter was necessary, what the important factors are to consider, and what the inclusion of the parameter would likely entail. I'll summarize that information here.<br>
> <br>
> We would like to hear your opinions on this so we can work toward moving this to RFC.<br>
> <br>
> The slides explaining the situation are here: <a href="https://wiki.ivoa.net/internal/IVOA/InterOpOct2019DAL/GMS.pdf" rel="noreferrer" target="_blank">https://wiki.ivoa.net/internal/IVOA/InterOpOct2019DAL/GMS.pdf</a><br>
> <br>
> But I'll explain it again in this email so we can discuss.<br>
> <br>
> The minimal REST API to GWS to support interoperable authorization is this:<br>
> <br>
> GET to /gms/search - to get the list of groups for which "the user" is a member<br>
> GET to /gms/search/{groupURI} . - check to see if "the user" is a member of the group identified by {groupURI}.<br>
> <br>
> Where "the user" is the subject of the membership inquiry. (referred to now as the "subject")<br>
> <br>
> The WD describes two methods of identifying the subject:<br>
> <br>
> 1. From the identify of the user making the call to the API, according to one of the supported authentication mechanisms in SSO 2.0.<br>
> 2. From the identity conveyed by the (currently optional) API parameters "identity" (and "identityType" -- see below [1]).<br>
> <br>
> In the current WD, support for method 1 is mandatory and recommended for two reasons:<br>
> <br>
> A. Information privacy -- who (besides the subject) should be allowed to see group membership information? It probably should not be public information, which implies only a certain set of privileged users should be allowed to use the identity parameters (method 2). (More on this is in the slides.)<br>
> <br>
> B. Avoiding inter-institute trust arrangements -- Following reason A: If a GMS implementation only supports method 2, the list of 'privileged users' from other institutes whom are allowed to call GMS would have to be identified and maintained. This arrangement is essentially a trust relationship between centres. In this scenario, a GMS client would not be able to dynamically look up a GMS service in the registry and use it without first having an agreement in place.<br>
> <br>
> GMS is of most use by other services that have resources that are only available to members of a certain group. Thus, to use method 1, these services must be able to act on behalf of their calling users. This is achieved by the processes described in the Credential Delegation Protocol (CDP). [2]<br>
> <br>
> So, what should be the stance on these two approaches?<br>
> <br>
> Interoperability between institutes implementing only method 2 can probably not be achieved "at runtime" (because of information privacy) without predefined trust arrangement. Although, once in place, the standard protocol becomes useful.<br>
> <br>
> Method 1 requires that client services of GMS employ CDP.<br>
> <br>
> Perhaps the current state of the WD is correct? It says: Method 1 is mandatory and recommended. Support for method 2 is optional. Client services must implement CDP.<br>
> <br>
> Finally, if method 2 remains in the WD (optional or not), the representation of identities that are to be in the 'identity' parameter would be exposed in the API and thus need to be fleshed out. That standardization (in my opinion [3]) would need to go into a different document. The document would describe a simple identity model, serialization, and perhaps a schema. Thoughts on this would be appreciated as well.<br>
> <br>
> Thanks for reading. Regards,<br>
> Brian<br>
> <br>
> <br>
> [1] If we choose to support the identity and identityType parameters they will be consolidated into a URI where the schema conveys the type of identity being described. Something like "token:kjd87aj2ljg8lhs" or "x509:cn=user,ou-=university,c=canada".<br>
> <br>
> [2] Current CDP REC version 1.0 is based on X.509, but there seems to be agreement that support for OAuth2 tokens could be added in the next version.<br>
> <br>
> [3] The experience of building other standards has shown that it is wise to separate the model from the services so they can evolve separately.<br>
<br>
</blockquote></div></div>