[caops-wg] Re: [TG-SECURITY] Draft Proposal for AuthZ workshop at GGF16
Alan Sill
Alan.Sill at ttu.edu
Mon Dec 5 09:02:02 CST 2005
FYI, this has also been discussed extensively in an OGSA-WG - AuthZ-WG
joint teleconference -- see minutes attached. Action items from that
meeting include another teleconference in 2 weeks (Dec. 19), and a
request from the OGSA-WG to have people attend a January face-to-face
with some coverage on that topic. Frank Siebenlist is planning to
attend the latter meeting, as far as I know.
My take on this is that we are or have the opportunity to be in good
communication with the standards community on this topic, that the
standards to be discussed are those of language and interoperability
(e.g SAML 2, XACML 3) and not those of specific implementations or
schema, but that increased participation from e.g. the privilege
project and VOBox - oriented community is necessary to work in the
direction of an attribute-based authorization standard that fits our
usage model.
Having people participate in these discussions can raise them from the
dead, and make it possible to work towards an attribute-based
authorization standard with wide acceptance that can be as accepted as
our authentication standards and lay the groundwork for future
interoperability efforts with other such projects. Further
participation by everyone is welcome.
Alan
From: hiro.kishimoto at jp.fujitsu.com
Subject: [OGSA-AUTHZ] [Fwd: [ogsa-wg] Teleconference minutes - 21
November 2005]
Date: November 22, 2005 2:44:10 AM CST
To: ogsa-authz at ggf.org, andreas.savva at jp.fujitsu.com
Hi all,
OGSA-AuthZ and OGSA-WG joint call minutes attached.
Thanks to Alan Sill and Andreas Savva for taking notes.
--
Hiro Kishimoto
From: Andreas Savva <andreas.savva at jp.fujitsu.com>
Date: November 22, 2005 2:20:12 AM CST
To: "'ogsa-wg'" <ogsa-wg at gridforum.org>
Subject: [ogsa-wg] Teleconference minutes - 21 November 2005
Minutes attached. Thanks to Alan Sill for his excellent notes of the
AuthZ discussion.
https://forge.gridforum.org/projects/ogsa-wg/document/minutes-20051121/
en/1
--
Andreas Savva
Fujitsu Laboratories Ltd
OGSA Teleconfererence - 21 November 2005
========================================
* Participants
Pete Ziu (Northrop Grumman)
Von Welch (NCSA)
Alan Sill (Texas Tech Univ.)
Frank Siebenlist (ANL)
Andreas Savva (Fujitsu)
Takuya Mori (NEC)
Mark Morgan (UVa)
Tom Maguire (EMC)
Fred Maciel (Hitachi)
Hiro Kishimoto (Fujitsu
Dave Berry (NeSC)
Michael Behrens (R2AD, LLC)
Apologies: Ellen Stokes
Minutes: Andreas Savva, Alan Sill
* November 16 minutes approved with no changes
* OGSA AuthZ Joint Call
** Background
Alan described OSG, EGEE and made mention of GridShib efforts, and
the desire to support a more standards-based approach to
attribute-based authorization. A strong desire exists both within
the user communities and at the funding agency level, he believes,
for a standards-based approach to authorization that can
interoperate with and be complementary to the existing
standards-based approach to CA operations being taken by the
CAOps-WG and the PMA technical community. (cf. http://gridpma.org
for the IGTF = International Grid Trust Federation and its member
organizations.) He also noted that there is ongoing research and
work being done to extend and supplement the "classic PKI"
authentication profile, for example with the Short-Lived Credential
Service (SLCS) profile being considered by TAG PMA (The Americas
Grid PMA) and about to come up for voting there.
** Future directions (OGSA services, federated authentication)
Frank said most important task is to come up with an improved
authorization query interface. The present one is based on SAML
1.1 and lacks features needed to communicate easily such
attributes as groups and roles. Version 2 of the OGSA AuthZ
specification needs to define interfaces so such attributes can be
communicated more easily. The hope is to leverage part of the work
done in the OASIS XACML TC for the XACML 3.0 spec. (Frank is a
member of the TC.) The TC has come to some agreement on how to
proceed and is preparing to write up WSDL, etc. Ideally this could
be used as is provided it fits the Grid requirements.
At the last GGF, the two groups had separate face-to-face meetings
at the same time, which interfered with progress. Alan noted that
there was good attendance at the AuthZ GGF15 wrap-up meeting,
nonetheless.
Von Welch agreed with the above summary of priorities, but noted
that there is a need for far more people and fresh blood. Alan
added that he would like to see representation from at least 3
communities: the OSG Privilege Project authors, the LCG Joint
Security Group, and members of the Shibboleth community who are
interested in working in the direction of international
standards.
Hiro asked what would be required to use the XACML v3 query i/f
with the OGSA WSRF BP. Frank and Tom agreed that the XACML i/f
would be complementary to the BP and it should be possible to
compose the two. There is no reason to have a WSRF-specific XACML
i/f.
Hiro asked whether standardizing on the schema or alternatively on
a language for defining attribute characteristics is preferable.
Alan responded that from his point of view, the latter (an
attribute language) is preferable, as schema can become outdated
and attribute spaces are by their nature extensible, and that a
possible reason for failure of previous AuthZ efforts might be due
to attempts to overly specify the schema. (Since it is not possible
to do an exhaustive definition of the attributes.)
** OGSA-AuthZ WG status update (specs)
- Is there a plan to produce a new version of the Attributes
specification?
It is important for people who are implementing this specification
to come forward and join the discussion. The WG has to see what is
being adopted and what needs to be done before moving forward.
Alan volunteered to take this discussion to VOMS and try to get
people to join.
- What is the status of the submitted AuthZ documents?
The Attributes document completed its public comment period and
was returned back to the authors for revision.
There was some uncertainty on the call whether this document was
pulled out of the process altogether or whether it was going to
move forward after changing its type to Experimental.
There was also an issue with making it WSRF based, or combinable
with the OGSA WSRF profile.
Von will check the status of this document.
** Next steps
Hiro suggested to have another joint call in Dec.; it was set for
the OGSA call on Dec. 19 (Mon.).
Hiro also asked whether AuthZ WG members can attend the next OGSA
F2F in Sunnyvale in January (week of 16).
- It was pointed out that the AuthZ specific discussion is likely
to be occupy a very small slot (1-2 hours) during the 5 day
meeting.
- Frank Siebenlist will attend in person.
- Von and Alan may join by phone if it is not possible to attend
in-person.
Agreed to advertise both the joint call and the F2F and try to get
wider participation.
* Profile Definition Review
- Tom changed his Affiliation.
- Consensus on the call not to add implementation status examples.
- Agreed that the change from "In other words" to "For example" in
the last sections and related changes in wording are appropriate.
- Other minor wording changes.
Tom will accept all changes, post a new draf and announce a final
call to list, lasting to next week Wednesday. (This is to allow for
people who may be on holiday this week.)
Tom will also reply to comments on the public forum.
* Security Profile - Secure Channel Review
- Using version sent out by Hiro to the list.
** Tracker review
(Numbers correspond to tracker artifacts)
- 1657: added; close.
- 1658: MLS is dropped; close.
- 1659: No problem using SSL; close.
- 1662: Checked that there are no significant changes that affect
this profile; updated; fixed.
- 1663: Updated to remove dependency; fixed.
- 1685: Added secure channel definition: fixed
- Does any part of this definition imply encryption? Yes,
integrity does.
- 1697: Revised the list but the explanatory text still needs work
to make clearer what the profile is doing. It is ok to combine
some of these items if it will make the explanation easier.
- Takuya to draft some text and review with Andreas
- 1698: Strictly speaking the features described in section 3.4 and
section 4 are orthogonal to the rest of the profile. Tokens, and
the key exchange mini-specification would apply to both TLS and
MLS.
- If this text is left here then the MLS profile would have to
depend on this profile; or worse, duplicate the same text.
- Frank proposed that if these sections are needed in general then
it might be worth deleting these sections from the Secure
Channel Profiel and adding them to the WSRF Basic Profile.
- Agreed, in principle, to remove the sections from this spec. and
discuss how to make them apply to any profile.
- Andreas proposed that these sections should be part of a Basic
Security Profile and that Profile could then be combined with
the WSRF BP or be referenced by the Channel profiles. The Claim
URI mechanism defined in the WSRF BP allows multiple Security
profiles to be composed with it so there would be no problem
with this approach.
- Hiro proposed that such a Basic Security Profile could also
serve as an 'anonymous' channel profile (one that makes no
statements on channel security) and could also solve the problem
of having a separate, essentially empty, profile document with
no security statements.
- Andreas was tasked to write up the proposal for splitting up the
Secure Channel Profile and send it to the list to collect
feedback from stakeholders not on the call.
* UML Tool Choice
- No opposition on the list or the call for the Rational choice.
- Agreed that there are a couple of things that need to be cleared
up, and until that time the choice is still tentative.
- Hiro to follow up with Ellen on the IBM liaison and with the GGF
Office and make sure that we can use the tool for GGF work.
- Mike proposed that CDs should be made available at the next F2F.
* OGSA 1.5 review
- Postponed due to lack of time.
* Next call
- OGSA 1.5 review
- Basic security profile discussion
On Dec 5, 2005, at 2:37 AM, Frank Wuerthwein wrote:
> Hi Bob,
>
> GGF16 at Athens overlaps with chep06 in Mumbai.
> We have two accepted talks in Mumbai, one on authz for CE and one on
> authz for SE,
> both including role based authentication.
>
> We also recently (at the Ultralight meeting at Caltech) discussed
> future use of the saml callout
> for obligations related to networking, in addition to the ones for CE
> & SE. We settled on a
> tentative schedule of late spring for work in this area, if I recall
> correctly. Rick Cavenaugh (UFL)
> would probably know for sure what we agreed on as tentative schedule.
>
> Present status on OSG, the role based authz is deployed for CE at many
> places, and for SE
> at one place, UCSD. It's been deployed in the production installation
> of dcache for cms during
> LHC service challenge 3. Though, I'm not certain that the cms sc3
> data was written using a cert with a role.
> Abhishek can comment on that.
>
> It's not clear to me what level input would be apropriate on these
> things for GGF16.
>
> Thanks, frank
>
> Cowles, Robert D. wrote:
>
>> FYI
>>
>> -----Original Message-----
>> From: Kelsey, DP (David) [mailto:D.P.Kelsey at rl.ac.uk] Sent:
>> Wednesday, November 30, 2005 8:39 AM
>> To: Åke Edlund; Dane Skow; Cowles, Robert D.; Olle Mulmo; David
>> Groep; Von Welch
>> Subject: RE: MWSG in Amsterdam
>>
>> Dear All,
>>
>> Well. I submitted a proposal via the GGF16 web form. I attach what I
>> submitted. Its far from perfect and I apologise that there was not
>> enough time to discuss this with you before it went in. I am sure
>> there will be many suggestions and complaints about what I said.
>> So... Please provide these now and we can update our plans during the
>> next 10 days.
>>
>> Dane and Olle... Please can you lobby in appropriate places to
>> increase our chances of success?
>>
>> I am on leave now until Tuesday 6th December so don't expect instant
>> replies from me.
>>
>> Best regards
>> (and thanks for agreeing (silently) to co-organise. If you wish to
>> remove your name please also shout!)
>> Dave
>>
>> ----------------------------------
>>
>> GGF16 Community Program Proposal
>> D Kelsey
>> 30 Nov 2005
>>
>>
>>
>> Proposers Name David Kelsey
>> Affiliation CCLRC Rutherford Appleton Laboratory, UK
>> email address d.p.kelsey at rl.ac.uk
>> Proposed title Grid Authorization - Interoperability here and now
>> Session type Workshop
>> Proposed Duration Half-day
>> Target audience Technical experts and interested parties.
>> Estimated number of attendees 50 (hopefully more)
>>
>>
>> Abstract
>> ----------------
>> This workshop will consider short-term (now and next two years) Grid
>> Authorization and Policy implementations, requirements and issues. It
>> will investigate what improvements can be made to encourage and
>> facilitate interoperability between Grid operational infrastructures.
>> It will also consider lessons learned from today's implementations
>> for the Grid security standards activities
>> in GGF for the longer-term future.
>>
>> Synopsis
>> ----------------
>> This is very much a draft. There has not been enough time to discuss
>> with co-organisers. Apologies. We plan to provide a better/proper size
>> version by 9th December. Dane Skow encouraged me to submit now to meet
>> the deadline with this incomplete plan.
>> The following people are currently co-organizers of this workshop.
>> More
>> may volunteer later. The push has come from the GGF Security Area. We
>> would like to find some co-organizers from the application communities
>> and Grid operations.
>>
>> Bob Cowles (SLAC and OSG Security co-chair)
>> Ake Edlund (KTH and EGEE Director of Security)
>> David Groep (NIKHEF and IGTF chair)
>> David Kelsey (CCLRC and LCG/EGEE Joint Security Policy Group chair)
>> Olle Mulmo (KTH and GGF Security Area Director)
>> Dane Skow (FNAL and GGF Security Area Director)
>> Von Welch (NCSA and Globus Alliance)
>>
>> The goals of the workshop are as described in the Abstract.
>>
>> Target audience
>> Technical experts and interested parties.
>> Grid security developers, Grid deployers (operational infrastructures)
>> and Grid users (application communities)
>>
>> Background. Much effort has been put into the work on Grid
>> Authentication,
>> culminating in the successful launch at GGF15 of the International
>> Grid
>> Trust Federation (IGTF). The work of IGTF and its three regional
>> Policy
>> Management Authorities ensures that Grid Users can obtain a single
>> electronic identity (X.509 certificate) and use this on any Grid
>> infrastructure which has decided to use the CA's from IGTF. Grid
>> Authorization is much less mature. Many large-scale application
>> communities (VOs) are global in nature and have the need to access
>> multiple Grid infrastructures. While Authentication is performed at
>> the
>> employing institute level, the Authorization (AuthZ) assertions need
>> to
>> be controlled at the VO level. The VO (global) policy assertions then
>> need to be combined with local (site-level) policy specifications
>> before
>> an Authorization decision can be made and enforced. There is a very
>> important requirement for interoperability in AuthZ between Grids in
>> terms of protocols and evaluation of the AuthZ/Policy assertions so
>> that
>> different implementations can interwork and reach the same AuthZ
>> decisions.
>>
>> Outline of the foreseen agenda.
>> We will invite/solicit talks from current operational Grid
>> Infrastructures and also from Application communities requiring the
>> ability to run applications across multiple Grids. These will describe
>> their current (and short-term future) implementations of AuthZ and
>> policy. There may be room for Grid security developers to present
>> their
>> status and plans but this has been done before (e.g. at GGF15) and is
>> not the main thrust of the workshop. A major component of the workshop
>> is a discussion session (perhaps in the form of a panel) to
>> investigate
>> the lessons learned from the earlier presentations both for improving
>> short-term interoperability and as input to longer-term
>> standardisation.
>>
>> As well as copies of slides shown we plan to produce a document
>> describing the issues identified and conclusions from the discussion.
>>
>>
>> ------------------------------------
>> Technology requirements Standard A/V
>>
>>
>> Prerequisite skills Some understanding of Grid security concepts.
>> Appreciation of requirements for Authorization and/or Policy
>> and interoperability between Grid infrastructures
>>
>>
>> Technological requirements
>> for participants
>> Not sure what this means? How is it different from
>> prerequisite skills?
>>
>>
>> Suggestions on how to advertise
>> Via appropriate GGF area mail lists (e.g. security)
>> Via targeted mails to known Grid infrastructure projects,
>> application communities
>> and known developers
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------
>> Dr David Kelsey
>> Particle Physics Department
>> Rutherford Appleton Laboratory
>> Chilton, DIDCOT, OX11 0QX, UK
>>
>> e-mail: D.P.Kelsey at rl.ac.uk
>> Tel: [+44](0)1235 445746 (direct)
>> Fax: [+44](0)1235 446733
>> ------------------------------------------------
>>
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Kelsey, DP (David) Sent: 30 November 2005 11:40
>>> To: 'Åke Edlund'; Dane Skow
>>> Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch
>>> Subject: RE: MWSG in Amsterdam
>>>
>>>
>>> Dear all,
>>>
>>> I will submit something today. It won't be fully polished and
>>> certainly won't contain the 1000-3000 words and I'm afraid there
>>> will be no time to discuss what I submit much before I do it.
>>>
>>> I plan to go for a half-day community workshop called "Authorization
>>> - Interoperability here and now" and aim it at developers (authZ and
>>> policy) and users (Grid infrastructures and application
>>> communities). We will invite talks on current AuthZ/Policy
>>> implementations (as used today), issues and (short-term) future
>>> plans and end up with a panel discussing what needs to be done to
>>> promote interoperability in the short term and what lessons are
>>> there longer term for standards and future developments.
>>>
>>> I will take the liberty of naming all people receiving this mail as
>>> the "organisers". Hope this is OK.
>>>
>>> If Dane and Olle can then support, we can hopefully put off the need
>>> for a more polished plan until the end of next week.
>>>
>>> Immediate comments, suggestions welcome. I intend to submit at
>>> about 15:00 (UK time - ie GMT) this afternoon. I will send you what
>>> I submit.
>>>
>>> Regards
>>> Dave
>>>
>>>
>>> ------------------------------------------------
>>> Dr David Kelsey
>>> Particle Physics Department
>>> Rutherford Appleton Laboratory
>>> Chilton, DIDCOT, OX11 0QX, UK
>>>
>>> e-mail: D.P.Kelsey at rl.ac.uk
>>> Tel: [+44](0)1235 445746 (direct)
>>> Fax: [+44](0)1235 446733
>>> ------------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Åke Edlund [mailto:edlund at pdc.kth.se]
>>>> Sent: 30 November 2005 08:17
>>>> To: Dane Skow; Kelsey, DP (David)
>>>> Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch
>>>> Subject: Re: MWSG in Amsterdam
>>>>
>>>>
>>>> Hi all,
>>>> I'm stuck in the EU review of EGEE (and holidays between the
>>>> rehearsal and the real review (next week)). I'll be able to do work
>>>> on this starting on Thursday next week, i.e. December 8. Too late?
>>>> Cheers, Ake
>>>>
>>>> On 05-11-29 19.45, "Dane Skow" <dane at fnal.gov> wrote:
>>>>
>>>>
>>>>> Another bit of information on this: I mentioned our
>>>>>
>>>> thinking about a
>>>>
>>>>> workshop on AuthZ at GGF16 to Robert Fogel (the GGF Vice-Chair for
>>>>> community) and Mark Linesch at SuperComputing and how it
>>> might mesh
>>>
>>>>> with the desire for an open "Inter-grid Interoperability"
>>> meeting.
>>>>> They are very positive, so I suspect that a proposal from a
>>>> committed
>>>>
>>>>> group of core organizers with a sketchy proposal would hold
>>>>>
>>>> the door
>>>>
>>>>> open for a week or so. The immediate needs is to understand the
>>>>> logistical and participant demands and overlaps (however
>>>> travel plan
>>>>
>>>>> deadlines are fast approaching). They suggested that such a
>>>>>
>>>> workshop
>>>>
>>>>> would be best later in the week with the Inter-grid meeting early.
>>>>>
>>>>> I am willing to help with a workshop, but have too many
>>>>>
>>>> balls in the
>>>>
>>>>> air just now to drive this forward (and can't afford to be
>>>>>
>>>> "promoted"
>>>>
>>>>> like David ;-)). I've added Von to the list since I vaguely
>>>>>
>>>> recall he
>>>>
>>>>> (or Jim Basney ?) indicated willingness to help as well.
>>>>>
>>>>> Dane
>>>>>
>>>>> On Nov 29, 2005, at 12:15 PM, Kelsey, DP (David) wrote:
>>>>>
>>>>>
>>>>>> Ake, Dane et al,
>>>>>>
>>>>>> I agree that the idea to go for a community track workshop sounds
>>>>>> good. I am afraid that I have had far too little time
>>> recently to
>>>>>> push forward on the GGF16 plans, in spite of the fact
>>> that my name
>>>>>> seems to have moved from my initial offer of "help" at GGF15 to
>>>>>> "leading" :=)
>>>>>>
>>>>>> Anyway... I have just looked at the GGF16 mechanisms for
>>>>>>
>>>> requesting
>>>>
>>>>>> sessions.
>>>>>>
>>>>>> 1. For general group-related sessions there is a web page...
>>>>>> http://www.ggf.org/gf/session_request/
>>>>>>
>>>>>> (Dane told us about this soon after GGF15)
>>>>>>
>>>>>> 2. For the community track, there is also a web form...
>>>>>> http://www.ggf.org/ggf_events_communityInvolvmentProposal.htm
>>>>>>
>>>>>> BUT, I have just noticed two frightening things....
>>>>>>
>>>>>> A. The deadline is 30th November (TOMORROW)
>>>>>> B. The form requires a 1000-3000 Synopsis, describing
>>>>>>
>>>> goals, outline
>>>>
>>>>>> etc etc
>>>>>>
>>>>>>
>>>>>> I am sorry to have to report that I just don't have time
>>> to tackle
>>>
>>>>>> writing such a proposal this week? Is anyone else
>>> able/willing to
>>>>>> take this on?
>>>>>>
>>>>>> Regards
>>>>>> Dave
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------
>>>>>> Dr David Kelsey
>>>>>> Particle Physics Department
>>>>>> Rutherford Appleton Laboratory
>>>>>> Chilton, DIDCOT, OX11 0QX, UK
>>>>>>
>>>>>> e-mail: D.P.Kelsey at rl.ac.uk
>>>>>> Tel: [+44](0)1235 445746 (direct)
>>>>>> Fax: [+44](0)1235 446733
>>>>>> ------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Åke Edlund [mailto:edlund at pdc.kth.se]
>>>>>>> Sent: 29 November 2005 15:02
>>>>>>> To: Dane Skow; Kelsey, DP (David)
>>>>>>> Cc: Cowles, Robert D.; Olle Mulmo; David Groep
>>>>>>> Subject: Re: MWSG in Amsterdam
>>>>>>>
>>>>>>>
>>>>>>> Added Dave to the thread.
>>>>>>> Cheers,
>>>>>>> Ake
>>>>>>>
>>>>>>>
>>>>>>> On 05-11-29 15.59, "Åke Edlund" <edlund at pdc.kth.se> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi Dane,
>>>>>>>>
>>>>>>>> Too bad to hear you can't join. Bob will, I hope?
>>>>>>>>
>>>>>>>> About the AuthZ/Intergrid workshop for Athens:
>>>>>>>>
>>>>>>>> From the slides at the MWSG:
>>>>>>>> ---
>>>>>>>> 1) Authz workshop at GGF16
>>>>>>>> ³Interop here and now², planning for the next ~2 years
>>>>>>>>
>>>> Dave & Von &
>>>>
>>>>>>>> Åke
>>>>>>>>
>>>>>>>> 2) MWSG info session at GGF16 as well!?!?!?
>>>>>>>> Outreach & dissemination (Ake)"
>>>>>>>> ---
>>>>>>>> I see Dave as lead for 1) and I see 2) as a short 0,5-1 hr
>>>>>>>> presentation.
>>>>>>>>
>>>>>>>> Still, I got an idea from David Groep: to have a GGF
>>>>>>>>
>>>>>>> Community track
>>>>>>>
>>>>>>>> workshop" for a full afternoon (maybe by combining both
>>>>>>>>
>>>>>>> things 1) and
>>>>>>>
>>>>>>>> 2)). Inspired by the GGF15 AuthZ WS.
>>>>>>>>
>>>>>>>> Is this too late? Is it a good idea? How to book?
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Ake
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>
>>>>
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
More information about the caops-wg
mailing list