[caops-wg] OGSA activity to cover authentication and identity provision roadmap

David Chadwick d.w.chadwick at kent.ac.uk
Thu Oct 5 09:25:12 CDT 2006 

Certainly clarifying the relationship between Authz and Authn will be an 
important factor to take into account when the OGSA Authn group is 
formed and its charter written. We should ensure that there is a clear 
separation of duties between the groups. I dont necessarily agree with 
David's categorisation below, but this is not the place to discuss this now.

regards

David


David Groep wrote:
> Dear Alan, all,
> 
> First of all, I would like to support this proposal, as it could indeed
> provide the focal point for harmonisation amongst the various
> activities in this area that have emerged both inside and those
> (still) outside OGF. Over the past year I feel we have come quite close
> to a kind of "common understanding" of what the issues are, and drafting
> a collective roadmap is IMHO a very timely activity.
> 
> Of course, I can happily offer a timeslot during the upcoming EUGridPMA
> meeting to discuss this (of course also completely open to the world and
> community at large: join this part of the meeting via VRVS in
> the "Sky" virtual room, "Earth/Universe" community: www.vrvs.org).
> If the current planning is not optimal (this Friday, Oct 6,
> 11.00 AM CEST=UTC+2), it can also be delayed a few hours.
> 
> As I see it, the BoF for this new WG could also address some issues
> I feel we currently have with the CAOPS charter and position with
> respect to other activities in OGF  (both with CAOPS being seen as an
> "operations" activity, but even more importantly the possible conception
> that CAOPS is only about the operation of  "traditional" X.509 CAs).
> In this respect, I would be highly interested in how others in CAOPS
> see the relationship between CAOPS and such a new group.
> Personally, I think also the IGTF as an operational policy coordination
> body, should have close relationships with both groups, especially
> as they are expanding into new authentication profile models.
> 
> There is, however, also an increasing overlap between the activities in
> AuthN and AuthZ. The new federations of organisationally-based
> sources of authority supply attributes and assertions that are
> relevant for both: some attributes relate to what we have
> traditionally seen as authentication (unique names, their long-term
> binding to entities, and the way to prove identity), but others
> by the same source relate more to authorisation (roles, position in
> the organisation &c).
> In the long run there may be not that clear a division between the
> two, especially when multiple sources of authority are involved in
> a combined decision. But this combination of assertions, possibly
> with different assurance levels, and with different levels from
> different sources, will highlight the need to convey such assurance
> levels, and their recognition in policy decisions, in a harmonised
> formats and semantics.
> Will the AuthN roadmap address include such issues - which I
> think it certainly should - when these assertions relate to
> long-term "AuthN" attributes? Even of the actual assertions are
> more related to what we might now consider "AuthZ" (such as
> organisational role/position)? But that's probably something for
> the BoF to figure out (given sufficient participation from
> the OGSA-AuthZ folks).
> 
> Lastly, I think we should advertise this BoF and our intentions
> widely, as there are very many related activities in this area,
> also outside OGF. In particular (with a slight European bias) there
> are the TERENA TF-EMC2 and TF-Mobility groups that to some extent
> rely on or aim for coordination in this domain; there is the
> eduGAIN activity (organised as part of the GEANT2 project); and
> the EuroCAMP meetings on federation (the next one in two weeks in
> Malaga, ES) are all highly relevant to this work. Many of
> our combined groups will attend at least a few of these meetings,
> and -- if we all agree OGSA-AuthN is a good idea -- should take the
> opportunity to get all relevant people around the table at OGF19.
> 
> 
> 	Best regards,
> 	DavidG.
> 
> 
> Alan Sill wrote:
>> I'd like to suggest to the CAOps and Grid CA community that we  
>> attempt to pull together thoughts on grid identity authentication in  
>> terms of a roadmap and/or BOF among interested parties, focusing  
>> primarily on the AuthN side. This would be a complement to the OGSA- 
>> AuthZ activity, which we could clearly call OGSA-AuthN.
>>
>> I realize that we need another working group like, well, a whack on  
>> the head, but I have thought about this one a lot and I think that  
>> the OGSA process would bring a lot of rationalization to the  
>> activities and effort that we are pursuing more or less piecemeal in  
>> the search for a workable solution.  Among things that we could gain  
>> by having such an effort, we could include:
>>
>> - Clear separation from OGSA-AuthZ while still allowing a strong  
>> channel for communication
>> - Bringing together several different working groups who are all  
>> working on identity provision (as opposed to authorization) for grids
>> - Providing for better communication between the OGSA roadmap and  
>> CAOps practices
>> - Providing a context for working groups, such as the Bridge CA and  
>> Shibboleth activities, to communicate their findings
>> - Placing OGSA-AuthN and OGSA-AuthZ on a similar footing
>>
>> To follow through on this, I would like to have a brief discussion in  
>> the IGTF portion of the upcoming EUGridPMA meeting, followed by a  
>> similar discussion at the TAGPMA Novemvber face-to-face, and of  
>> course encourage similar discussion at the APGridPMA meeting this  
>> fall.  Any decision to follow this path should be discussed with the  
>> incoming area directors of the Security area within the Open Grid  
>> Forum, along with specific details about the charter.  To make this  
>> happen, we could form a BOF to be held at the next OGF  conference in  
>> North Carolina in January, along the lines of the recent "Shibboleth  
>> for Grids" one that we held at GGF 18, with an aim to take on this  
>> topic as a roadmap activity directly.
>>
>> Thought are extremely welcome and recruited.  As a point of  
>> background information, I have been discussing this idea among the  
>> members of the overall OGSA-WG working group, and have found many  
>> useful suggestions and an open reception to this idea.  The topic of  
>> a BOF as discussed above has been strongly encouraged.
>>
>> Best,
>> Alan
>>
>> Alan Sill
>> TIGRE Senior Scientist
>> High Performance Computing Center
>> TTU
>>
>> ====================================================================
>> :  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
>> :  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
>> ====================================================================
>>
>> --
>>   caops-wg mailing list
>>   caops-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/caops-wg
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list