[caops-wg] OGSA activity to cover authentication and identity provision roadmap

Oscar Manso o.manso at certiver.com
Fri Oct 6 03:10:22 CDT 2006 

Dear all,
We mostly agree with the proposal of creating a new OGSA-AuthN group thus
clearly separating activities from the OGSA-AuthZ. Today that may probe
useful as new concepts like "validation" have begun to rise in both CAOPS
and AuthZ.
Our main concern refers to the effect that this action may have in our
working drafts, more specifically with the OCSP document which has been
*almost there* for a few months. We do hope that with the creation of this
new group such
efforts don't go to oblivion   :)
Best regards and count on us for participating in the new group,


Oscar & Jesus 

> -----Mensaje original-----
> De: caops-wg-bounces at ogf.org 
> [mailto:caops-wg-bounces at ogf.org] En nombre de David Chadwick
> Enviado el: jueves, 05 de octubre de 2006 16:25
> Para: David Groep
> CC: igtf-general at gridpma.org; gridshib-beta at globus.org; 
> gsmv at webapp.lab.ac.uab.edu; Mailing List for CAOPS-WG
> Asunto: Re: [caops-wg] OGSA activity to cover authentication 
> and identity provision roadmap
> 
> Certainly clarifying the relationship between Authz and Authn 
> will be an important factor to take into account when the 
> OGSA Authn group is formed and its charter written. We should 
> ensure that there is a clear separation of duties between the 
> groups. I dont necessarily agree with David's categorisation 
> below, but this is not the place to discuss this now.
> 
> regards
> 
> David
> 
> 
> David Groep wrote:
> > Dear Alan, all,
> > 
> > First of all, I would like to support this proposal, as it could 
> > indeed provide the focal point for harmonisation amongst 
> the various 
> > activities in this area that have emerged both inside and those
> > (still) outside OGF. Over the past year I feel we have come quite 
> > close to a kind of "common understanding" of what the 
> issues are, and 
> > drafting a collective roadmap is IMHO a very timely activity.
> > 
> > Of course, I can happily offer a timeslot during the upcoming 
> > EUGridPMA meeting to discuss this (of course also 
> completely open to 
> > the world and community at large: join this part of the meeting via 
> > VRVS in the "Sky" virtual room, "Earth/Universe" community: 
> www.vrvs.org).
> > If the current planning is not optimal (this Friday, Oct 6, 
> 11.00 AM 
> > CEST=UTC+2), it can also be delayed a few hours.
> > 
> > As I see it, the BoF for this new WG could also address 
> some issues I 
> > feel we currently have with the CAOPS charter and position with 
> > respect to other activities in OGF  (both with CAOPS being 
> seen as an 
> > "operations" activity, but even more importantly the possible 
> > conception that CAOPS is only about the operation of  
> "traditional" X.509 CAs).
> > In this respect, I would be highly interested in how others 
> in CAOPS 
> > see the relationship between CAOPS and such a new group.
> > Personally, I think also the IGTF as an operational policy 
> > coordination body, should have close relationships with 
> both groups, 
> > especially as they are expanding into new authentication 
> profile models.
> > 
> > There is, however, also an increasing overlap between the 
> activities 
> > in AuthN and AuthZ. The new federations of organisationally-based 
> > sources of authority supply attributes and assertions that are 
> > relevant for both: some attributes relate to what we have 
> > traditionally seen as authentication (unique names, their long-term 
> > binding to entities, and the way to prove identity), but 
> others by the 
> > same source relate more to authorisation (roles, position in the 
> > organisation &c).
> > In the long run there may be not that clear a division between the 
> > two, especially when multiple sources of authority are 
> involved in a 
> > combined decision. But this combination of assertions, 
> possibly with 
> > different assurance levels, and with different levels from 
> different 
> > sources, will highlight the need to convey such assurance 
> levels, and 
> > their recognition in policy decisions, in a harmonised formats and 
> > semantics.
> > Will the AuthN roadmap address include such issues - which 
> I think it 
> > certainly should - when these assertions relate to 
> long-term "AuthN" 
> > attributes? Even of the actual assertions are more related 
> to what we 
> > might now consider "AuthZ" (such as organisational 
> role/position)? But 
> > that's probably something for the BoF to figure out (given 
> sufficient 
> > participation from the OGSA-AuthZ folks).
> > 
> > Lastly, I think we should advertise this BoF and our intentions 
> > widely, as there are very many related activities in this 
> area, also 
> > outside OGF. In particular (with a slight European bias) 
> there are the 
> > TERENA TF-EMC2 and TF-Mobility groups that to some extent 
> rely on or 
> > aim for coordination in this domain; there is the eduGAIN activity 
> > (organised as part of the GEANT2 project); and the EuroCAMP 
> meetings 
> > on federation (the next one in two weeks in Malaga, ES) are 
> all highly 
> > relevant to this work. Many of our combined groups will attend at 
> > least a few of these meetings, and -- if we all agree 
> OGSA-AuthN is a 
> > good idea -- should take the opportunity to get all relevant people 
> > around the table at OGF19.
> > 
> > 
> > 	Best regards,
> > 	DavidG.
> > 
> > 
> > Alan Sill wrote:
> >> I'd like to suggest to the CAOps and Grid CA community that we 
> >> attempt to pull together thoughts on grid identity 
> authentication in 
> >> terms of a roadmap and/or BOF among interested parties, focusing 
> >> primarily on the AuthN side. This would be a complement to 
> the OGSA- 
> >> AuthZ activity, which we could clearly call OGSA-AuthN.
> >>
> >> I realize that we need another working group like, well, a 
> whack on 
> >> the head, but I have thought about this one a lot and I think that 
> >> the OGSA process would bring a lot of rationalization to the 
> >> activities and effort that we are pursuing more or less 
> piecemeal in 
> >> the search for a workable solution.  Among things that we 
> could gain 
> >> by having such an effort, we could include:
> >>
> >> - Clear separation from OGSA-AuthZ while still allowing a strong 
> >> channel for communication
> >> - Bringing together several different working groups who are all 
> >> working on identity provision (as opposed to 
> authorization) for grids
> >> - Providing for better communication between the OGSA roadmap and 
> >> CAOps practices
> >> - Providing a context for working groups, such as the 
> Bridge CA and 
> >> Shibboleth activities, to communicate their findings
> >> - Placing OGSA-AuthN and OGSA-AuthZ on a similar footing
> >>
> >> To follow through on this, I would like to have a brief 
> discussion in 
> >> the IGTF portion of the upcoming EUGridPMA meeting, followed by a 
> >> similar discussion at the TAGPMA Novemvber face-to-face, and of 
> >> course encourage similar discussion at the APGridPMA meeting this 
> >> fall.  Any decision to follow this path should be 
> discussed with the 
> >> incoming area directors of the Security area within the Open Grid 
> >> Forum, along with specific details about the charter.  To 
> make this 
> >> happen, we could form a BOF to be held at the next OGF  
> conference in 
> >> North Carolina in January, along the lines of the recent 
> "Shibboleth 
> >> for Grids" one that we held at GGF 18, with an aim to take on this 
> >> topic as a roadmap activity directly.
> >>
> >> Thought are extremely welcome and recruited.  As a point of 
> >> background information, I have been discussing this idea among the 
> >> members of the overall OGSA-WG working group, and have found many 
> >> useful suggestions and an open reception to this idea.  
> The topic of 
> >> a BOF as discussed above has been strongly encouraged.
> >>
> >> Best,
> >> Alan
> >>
> >> Alan Sill
> >> TIGRE Senior Scientist
> >> High Performance Computing Center
> >> TTU
> >>
> >> 
> ====================================================================
> >> :  Alan Sill, Texas Tech University  Office: Admin 233, MS 
> 4-1167  :
> >> :  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 
> 806-742-4358  :
> >> 
> ====================================================================
> >>
> >> --
> >>   caops-wg mailing list
> >>   caops-wg at ogf.org
> >>   http://www.ogf.org/mailman/listinfo/caops-wg
> > 
> > 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security The Computing 
> Laboratory, University of Kent, Canterbury, CT2 7NF Skype 
> Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk Entrust key 
> validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
> 
> *****************************************************************
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg
>

More information about the caops-wg mailing list