[caops-wg] OGSA activity to cover authentication and identity provision roadmap

David Groep davidg at nikhef.nl
Thu Oct 5 06:54:42 CDT 2006 

Dear Alan, all,

First of all, I would like to support this proposal, as it could indeed
provide the focal point for harmonisation amongst the various
activities in this area that have emerged both inside and those
(still) outside OGF. Over the past year I feel we have come quite close
to a kind of "common understanding" of what the issues are, and drafting
a collective roadmap is IMHO a very timely activity.

Of course, I can happily offer a timeslot during the upcoming EUGridPMA
meeting to discuss this (of course also completely open to the world and
community at large: join this part of the meeting via VRVS in
the "Sky" virtual room, "Earth/Universe" community: www.vrvs.org).
If the current planning is not optimal (this Friday, Oct 6,
11.00 AM CEST=UTC+2), it can also be delayed a few hours.

As I see it, the BoF for this new WG could also address some issues
I feel we currently have with the CAOPS charter and position with
respect to other activities in OGF  (both with CAOPS being seen as an
"operations" activity, but even more importantly the possible conception
that CAOPS is only about the operation of  "traditional" X.509 CAs).
In this respect, I would be highly interested in how others in CAOPS
see the relationship between CAOPS and such a new group.
Personally, I think also the IGTF as an operational policy coordination
body, should have close relationships with both groups, especially
as they are expanding into new authentication profile models.

There is, however, also an increasing overlap between the activities in
AuthN and AuthZ. The new federations of organisationally-based
sources of authority supply attributes and assertions that are
relevant for both: some attributes relate to what we have
traditionally seen as authentication (unique names, their long-term
binding to entities, and the way to prove identity), but others
by the same source relate more to authorisation (roles, position in
the organisation &c).
In the long run there may be not that clear a division between the
two, especially when multiple sources of authority are involved in
a combined decision. But this combination of assertions, possibly
with different assurance levels, and with different levels from
different sources, will highlight the need to convey such assurance
levels, and their recognition in policy decisions, in a harmonised
formats and semantics.
Will the AuthN roadmap address include such issues - which I
think it certainly should - when these assertions relate to
long-term "AuthN" attributes? Even of the actual assertions are
more related to what we might now consider "AuthZ" (such as
organisational role/position)? But that's probably something for
the BoF to figure out (given sufficient participation from
the OGSA-AuthZ folks).

Lastly, I think we should advertise this BoF and our intentions
widely, as there are very many related activities in this area,
also outside OGF. In particular (with a slight European bias) there
are the TERENA TF-EMC2 and TF-Mobility groups that to some extent
rely on or aim for coordination in this domain; there is the
eduGAIN activity (organised as part of the GEANT2 project); and
the EuroCAMP meetings on federation (the next one in two weeks in
Malaga, ES) are all highly relevant to this work. Many of
our combined groups will attend at least a few of these meetings,
and -- if we all agree OGSA-AuthN is a good idea -- should take the
opportunity to get all relevant people around the table at OGF19.


	Best regards,
	DavidG.


Alan Sill wrote:
> I'd like to suggest to the CAOps and Grid CA community that we  
> attempt to pull together thoughts on grid identity authentication in  
> terms of a roadmap and/or BOF among interested parties, focusing  
> primarily on the AuthN side. This would be a complement to the OGSA- 
> AuthZ activity, which we could clearly call OGSA-AuthN.
> 
> I realize that we need another working group like, well, a whack on  
> the head, but I have thought about this one a lot and I think that  
> the OGSA process would bring a lot of rationalization to the  
> activities and effort that we are pursuing more or less piecemeal in  
> the search for a workable solution.  Among things that we could gain  
> by having such an effort, we could include:
> 
> - Clear separation from OGSA-AuthZ while still allowing a strong  
> channel for communication
> - Bringing together several different working groups who are all  
> working on identity provision (as opposed to authorization) for grids
> - Providing for better communication between the OGSA roadmap and  
> CAOps practices
> - Providing a context for working groups, such as the Bridge CA and  
> Shibboleth activities, to communicate their findings
> - Placing OGSA-AuthN and OGSA-AuthZ on a similar footing
> 
> To follow through on this, I would like to have a brief discussion in  
> the IGTF portion of the upcoming EUGridPMA meeting, followed by a  
> similar discussion at the TAGPMA Novemvber face-to-face, and of  
> course encourage similar discussion at the APGridPMA meeting this  
> fall.  Any decision to follow this path should be discussed with the  
> incoming area directors of the Security area within the Open Grid  
> Forum, along with specific details about the charter.  To make this  
> happen, we could form a BOF to be held at the next OGF  conference in  
> North Carolina in January, along the lines of the recent "Shibboleth  
> for Grids" one that we held at GGF 18, with an aim to take on this  
> topic as a roadmap activity directly.
> 
> Thought are extremely welcome and recruited.  As a point of  
> background information, I have been discussing this idea among the  
> members of the overall OGSA-WG working group, and have found many  
> useful suggestions and an open reception to this idea.  The topic of  
> a BOF as discussed above has been strongly encouraged.
> 
> Best,
> Alan
> 
> Alan Sill
> TIGRE Senior Scientist
> High Performance Computing Center
> TTU
> 
> ====================================================================
> :  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
> :  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
> ====================================================================
> 
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg


-- 
David Groep

** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

More information about the caops-wg mailing list