[communities] GGF Proposal Submission

d.p.kelsey at rl.ac.uk d.p.kelsey at rl.ac.uk
Wed Nov 30 10:30:57 CST 2005 

proposers_name: David Kelsey 
 
affiliation: CCLRC Rutherford Appleton Laboratory, UK 

email: d.p.kelsey at rl.ac.uk 

proposed_title: Grid Authorization - Interoperability here and now 

session_type: Workshop 

proposed_duration: Half-day 

target_audience: Technical experts and interested parties. 

num_attendees: 50 (hopefully more) 

abstract: This workshop will consider short-term (now and next two years) Grid Authorization and Policy implementations, requirements 
and issues. It will investigate what improvements can be made to encourage and facilitate interoperability between Grid operational 
infrastructures. It will also consider lessons learned from today\'s implementations for the Grid security standards activities
in GGF for the longer-term future. 

synopsis: This is very much a draft. There has not been enough time to discuss
with co-organisers. Apologies. We plan to provide a better/proper size
version by 9th December. Dane Skow encouraged me to submit now to meet
the deadline with this incomplete plan. 

The following people are currently co-organizers of this workshop. More
may volunteer later. The push has come from the GGF Security Area. We
would like to find some co-organizers from the application communities
and Grid operations.

Bob Cowles	(SLAC and OSG Security co-chair)
Ake Edlund	(KTH and EGEE Director of Security)
David Groep	(NIKHEF and IGTF chair)
David Kelsey	(CCLRC and LCG/EGEE Joint Security Policy Group chair)		
Olle Mulmo	(KTH and GGF Security Area Director)			
Dane Skow	(FNAL and GGF Security Area Director)
Von Welch	(NCSA and Globus Alliance)
			
The goals of the workshop are as described in the Abstract.

Target audience
Technical experts and interested parties.
Grid security developers, Grid deployers (operational infrastructures)
and Grid users (application communities)

Background. 
Much effort has been put into the work on Grid Authentication,
culminating in the successful launch at GGF15 of the International Grid
Trust Federation (IGTF). The work of IGTF and its three regional Policy
Management Authorities ensures that Grid Users can obtain a single
electronic identity (X.509 certificate) and use this on any Grid
infrastructure which has decided to use the CA\'s from IGTF. Grid
Authorization is much less mature. Many large-scale application
communities (VOs) are global in nature and have the need to access
multiple Grid infrastructures. While Authentication is performed at the
employing institute level, the Authorization (AuthZ) assertions need to
be controlled at the VO level. The VO (global) policy assertions then
need to be combined with local (site-level) policy specifications before
an Authorization decision can be made and enforced. There is a very
important requirement for interoperability in AuthZ between Grids in
terms of protocols and evaluation of the AuthZ/Policy assertions so that
different implementations can interwork and reach the same AuthZ
decisions.

Outline of the foreseen agenda.
We will invite/solicit talks from current operational Grid
Infrastructures and also from Application communities requiring the
ability to run applications across multiple Grids. These will describe
their current (and short-term future) implementations of AuthZ and
policy. There may be room for Grid security developers to present their
status and plans but this has been done before (e.g. at GGF15) and is
not the main thrust of the workshop. A major component of the workshop
is a discussion session (perhaps in the form of a panel) to investigate
the lessons learned from the earlier presentations both for improving
short-term interoperability and as input to longer-term standardisation.

As well as copies of slides shown we plan to produce a document
describing the issues identified and conclusions from the discussion.
 

tech_requirements: None 

prereq_participants: Some understanding of Grid security concepts. 
Appreciation of requirements for Authorization and/or Policy
and interoperability between Grid infrastructures
 

advertise_suggestion: Via appropriate GGF area mail lists (e.g. security)
Via targetted mails to known Grid infrastructure projects, application communities and known developers

More information about the communities mailing list