[gin-auth] Are we done ?

Stephen M Pickles Stephen.Pickles at manchester.ac.uk
Thu Nov 16 12:36:19 CST 2006 

Dane,

I agree that the list is fairly quiet, because we've either
achieved what we set out to do, or gone as far as we can
until a breakthrough is made elsewhere (such as consensus
on delegation in WS which you mention in (4)).

One thing you omitted from our list of achievements is
the creation of an AUP for the GIN VO. 

I certainly don't want to shut down the list. I think the GIN
lists, by providing a way to reach our peers in other Grids,
are tremendously valuable.

I think there is one thing still for gin-auth to do before going
dormant. That is, to write up a _short_ note describing and
consolidating what we've done (rationales), what worked and what
didn't (experiences), and what we're waiting for (gaps,
recommendations), and by doing so test whether we've really
reached a deeper understanding and consensus than we had when
we started.

Best regards,

Stephen

> -----Original Message-----
> From: gin-auth-bounces at ogf.org 
> [mailto:gin-auth-bounces at ogf.org] On Behalf Of Dane Skow
> Sent: 09 November 2006 22:58
> To: gin-auth at ggf.org
> Subject: [gin-auth] Are we done ?
> 
> 
> In reviewing the status of this group for others recently, I've been
> pondering where we are and what next for interoperation in
> authorization/authentication infrastructure. The slides presented at
> GGF18 are available at http://forge.gridforum.org/sf/tracker/do/
> viewArtifact/projects.gin/tracker.draftplans2006/artf5584?
> nav=1&selectedTab=attachments
> 
> I'd like to see what this group thinks regards what we should be
> doing next.
> 
> We defined Phase 1 GIN interoperation as the following agreements:
> 
> 1) RFC 3820 proxies would be the identity/authentication vehicles for
> interoperation.
> 
> 2) VOMS proxy extensions would be the common denominator for
> conveying authorization attributes.
> 
> 3) IGTF CA accreditation would establish the common set of sources of
> certificates.
> 
> 4) Delegation would be supported by GSI delegation for pre-WS GRAM/
> GridFTP. A common WS-Delegation would be supported for WS interfaces.
> 
> 5) We established a naming conventions for VOs and established a
> bootstrap VOMS service for newcomers to test interoperation.
> 
> In my opinion, I see the following status:
> 
> 1) has been accomplished. I'm not sure all proxies in use these days
> are RFC 3820 compliant, but the move is clearly that way and most
> code properly handles the earlier versions so interoperation hasn't
> been a problem.
> 
> 2) has been used effectively by multiple grids and the specification
> of the extensions has been documented (has that spec been published
> actually ?). The use of attributes to date as far as I know, has been
> to map a single individual in different roles to different execution
> environments (e.g. accounts) from a pre-loaded map. Dynamic mapping
> of groups (without requiring pre-registration) has not been deployed
> in practice yet, but there are no technical obstacles.
> 
> 3) What problems there have been in recognition of credentials have
> been in cases where the credentials come from a non-IGTF CA. There is
> interest in other groups of certificate authorities, but none
> pressing for production grid use a this time, in this community.
> 
> 4) seems to be working well enough for the pre-WS GRAM and GridFTP
> interoperation to date. It is not clear to me there is a consensus
> yet on the WS delegation definition/implementation. Perhaps we should
> run a survey/test here as the deployment and use of WS services grows.
> 
> 5) the bootstrap service is operational and has been useful for
> testing and getting started. I don't believe the naming convention
> agreement has had any impact on the production VOs, but there does
> not appear to yet be any problem with name collisions in production.
> 
> Looking forward, are there other things that we should be pursuing at
> this time ? I think it appropriate for GIN groups to restrict
> themselves to issues that are current or imminent interoperation
> issues and targetted at production services (lest we end up creating
> yet another design group).
> 
> The mailing list has been rather quiet lately and I confess that I've
> been consistently distracted by my "day job" as well. If there were
> someone interested in stepping forward to lead an agenda for a Phase
> II, then I would be glad to pass the baton. Alternately, we could
> declare our work done for this phase and go dormant pending needs for
> resurrecting in a later phase. The list has value as a communications
> channel among specialists in the area across the grids, so I would
> not advocate shutting down the list even should we decide that the
> charge of the group has been accomplished.
> 
> What do folks think ?
> Dane
> --
>   gin-auth mailing list
>   gin-auth at ogf.org
>   http://www.ogf.org/mailman/listinfo/gin-auth
> 
>

More information about the gin-auth mailing list