There is masses of experience with using VOs today. They have been in
existence for nearly a decade and are well used. STFC runs a national
VOMS service for the UK so we can ask them for example.

VO (or community if you prefer to call it that) boundaries already exist
and are not set by political issues as far as I am aware, but by
practical issues and the requirements of groups of people to use groups
of resources in a secure way. So we dont need to wait around to find out
how people might use CoIs in Moonshot in the future. We can ask the grid
community today how they use VOs and have used them for the past decade.
And based on these requirements we can decide whether CoIs should be
designed to support existing VO functional requirements. Or not, in
which case VOs will need to be layered on top of CoIs.

I am working on the assumption in our OpenStack implementation, that
CoIs will not equate to VOs and that VOs will need to be layered on top
of CoIs because an OpenStack cloud service will need to support multiple
virtual organisations, and if it can only be a member of one CoI, then
VOs will need to layered on top of this.

regards
David

On 12/12/2013 20:41, Sam Hartman wrote:
>>>>>> "David" == David Chadwick <[log in to unmask]> writes:
> 
>     David> number of reasons: i) A CoI comprises IDPs and SPs. This
>     David> granularity is too large. A VO comprises a subset of users
>     David> from an IDP, not all of the IDP's users. A VO may comprise a
>     David> subset of the resources held by an SP, not all its resources.
> 
> It's true at the trust router layer that a COI is defined in terms of
> realms.  I'd expect people would tend to build layers on top of that
> with better granularity.
> 
>     David> So, questions to this group are:
> 
>     David> 1. Do we agree that CoIs and VOs are different concepts?
> 
> No.
> 
>     David> 2. Do we wish to limit SPs to only be members of a single
>     David> CoI, and if so, why?
> 
> 
> It would be nice if a SP could be part of multiple communities.
> In general, I don't think this will be possible, nor does our technology
> particularly support it.
> 
> I do think this will influence how people draw community boundaries.
> I do think that mapping existing VOs into Moonshot will work poorly in
> part because of this.
> 
> If it turns out that political issues force community boundaries that
> work very poorly for this choice then we'll end up regretting the
> choices that make it difficult for an SP to belong to multiple
> communities more than  if that ends up working out differently.
> 
> I don't think we have enough information to know how people will draw
> community boundaries yet.
>