Re: [ggf-ogsa-sec-wg] VO consideration

[Philippe Janson <pj@zurich.ibm.com>]

"Takashi Kojo" <kojo@isd.nec.co.jp>
wrote on 2002/10/29 09:12:00:

> Phil,
> 
> >> - What would be real organization(RO) policy/trust and VO
policy/trust?
> > Quite similar in abstract syntax and semantics but bearing on
different
> objects with
> > different scope in practice.
> > Just as a security officer in some RO could set policies like
users in
> (previously defined)
> >  group G or with (previously defined) attribute A have access
to resources
> in (previously
> > defined) pool P,  so could a security officer in the same
RO involved in a
> VO V set
> > policies that (external) users with membership in V are authorized
to
> access local resources
> > in the (previously defined) pool Pv.  Each RO security officer
can define
> which of his real
> > local users and resources are cleared to be in V.
> 
> I understand this far.
> 
> I tentatively distinguished RO from VO, but are they essentially different
> or
> not at certain level? Assuming they have common class at certain level,
> we could recursively construct a VO from combination of some VOs.
> 
> Kojo
> 
Yes, I believe there are some conceptual differences
beween RO and VO.
A RO owns physical assets and retains control over
them,
whereas a VO can only gain access to physical resources
owned by ROs.
A VO would typically not own any resources of its
own.

Similarly ROs register real users directly whereas
a user can join a VO 
only after it is registered with one of the ROs participating
in the VO.

I suppose you could envision recursively building
VOs out of ROs.
I just do not know at this stage whether this is required
and for what scenario.
It may well be needed for gereic inter-grids but I
have not thought that far.

In any case, all these concepts are purely thought
provocation at this stage.
There is no doc anywhere that defines ROs and VOs
as we have been talking about.
These are so far pure constructions of our imagination
for disussion only.

Phil