Re: [ggf-ogsa-sec-wg] VO consideration

[Brian E Carpenter <brian@hursley.ibm.com>]

Philippe Janson wrote:
> 
> Von Welch <welch@mcs.anl.gov> wrote on 2002/10/29 16:38:42:
> 
> >  > Similarly ROs register real users directly whereas a user can join a VO
> >  > only after it is registered with one of the ROs participating in the VO.
> >
> > I think this depends on the policies of the ROs and is not
> > inherent. Some ROs today require users to be regisitered at their
> > site, regardless of any other registrations that user might have in
> > the VO. But I could envision ROs that would be willing to trust the VO
> > to register users or just don't care how/if the user is registered as
> > long as they can bill the VO for usage.
> >
> > Von
> >
> That sounds credible indeed.  Thx.  Phil

Well, I'm going to somewhat disagree with my colleague and with Von.

I do agree that one RO in a VO may agree to accept users from
other ROs in the same VO without local registration. There are
ways to make that safe.

However, I can't see how a VO can fail to be rooted in a set of ROs, 
and I can't see how a user can affiliate to a VO without an initial 
affiliation to an RO.

(In a true intergrid model, that RO might just be a credit card company
or a phone company, but somewhere the user's identity must be tied back
to a trustworthy RO.)

I do agree that one service offered by a VO might be a user account
setup service, but even then a new user will have to bootstrap
his/her identity from an RO. Until we get anonymous cash on the Internet,
at least.

      Brian

P.S. Just getting back to this thread after 3 weeks interruption caused
by the IETF.