It's through feedback like this that we can enhance the existing tools and services, so first thanks for raising the problem and letting us know of the issues for your users.
We are now following up the issue in detail through the GGUS user support tool (the helpdesk is the tool to be used to get specialized support from the operators and the software providers) , but I would like to touch upon a broader topic that is relevant to the incident you reported, which is the current membership renewal policy and its support in VOMS.

Membership renewal and reaffirmed approval of the AUP are two distinct aspects. I'll just focus on the first, which is where the incident started.

VO membership is one of the main pillars on which secure access to resources rests.

Secure access to resources is very important to both our users who need access to resources, and to the managers of those resources who are responsible for resource access authorization, and for providing a secure environment to resource users. We also need to support VO managers, who need policies, procedures and tools that can support VOs regardless of their scale.

The policy for membership renewal is defined in the VO membership management policy. Having been in place for several years, it  takes on board the interests of both consumers and providers of resources, so that access is provided to users who are truly authorized by their research community. You are right in saying that while providing a secure environment, VO management procedures should give access to authorised users as simply as possible.

The current VO membership renewal policy currently says that the renewal process must include:
1- "Confirmation, by the VO Manager, that continued membership of VO is still allowed".
2. "Confirmation or update of all data provided during registration and all special authorisations"
3. "Reaffirmed acceptance by the user of the Grid Acceptable Use Policy and the VO Acceptable Use Policy."
4. "Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy".

Point (1) implies that a user does not decide by themselves to extend membership: the responsibility for deciding if membership can be extended is owned by the VO manager. For, example users of an expired project/collaboration may no longer be authorized to access resources, and the VO manager needs to confirm which users are still authorised members. How to improve this?

Both the policy and the tools implementing it may be revised.
- The policy could be changed so that duration of membership is no longer mandatory (point 4), but is configurable by the VO manager (the default could still be 12 months). Discussion of a such a change would need to involve resource providers, users and security experts.
- Even with the existing policy, the mechanism for membership renewal could be improved. Renewal of membership could be triggered by the user instead of the VO manager. By notifying the user about the expiring membership (for example 2 weeks before the deadline), users interested in extending the membership could notify the VO manager by  re-signing the AUP. Then, the VO manager could be notified about users willing to extend the membership, and could accept/reject requests.
- The default time to accept a new AUP in the tool could be extended from 24 hours to something like 2 weeks (but the time is already configurable in VOMS admin system and the VO managers may already extend this time if they wish to give users more time to respond).
- Search of suspended users for revocation of suspension should be supported by the tool.

These are some ideas on how to improve membership renewal. I'm sure other approaches/solutions are also possible. I suggest we discuss this with other Virtual Research Communities, the security policy group and the developers, so that we can reach community consensus on how to improve the user experience while maintaining secure access to the resources.

Tiziana