[loa-bof] Security and related activities at OGF24: an overview

Fri Aug 29 04:01:37 CDT 2008

OGF24: Bustling with Security Activities

In a mere few weeks OGF24 will be held in Singapore. A compact
meeting, it is packed with quite a few interesting security and
related sessions. If you did not plan to come, maybe these still
entice you to travel to Singapore:

A jointly coordinated session with GIN will focus on how to restrict
delegation. In the GIN grid deployments restricting what somebody (or
a process can do) is gaining prominence, and how to design such
restrictions when delegating credentials (both when using proxies and
in a SAML context) is something the GIN group wants to know. One hand
this of course includes the syntax and technical mechanisms, and
based on current standards and developments this might be addressed
in the short term. But how to interpret such restrictions in a common
way? If a policy is defined to restrict access to a service or
service method, will the implementations of such a service react in a
similar way? This session should lead the way for a new working (or
research?) group to address these topics.

Also at OGF24, the OGSA-AuthZ WG will be discussing the feedback
received on the "Functional Components of Grid Service Provider
Authorisation Service Middleware" document, which has completed its
public comment on August 28th, and the "Use of XACML Request Context
to Obtain an Authorisation Decision" (completed PC on Aug 13), and
review the ongoing comments of the remaining proposed
recommendations:
-	Use of SAML to retrieve Authorization Credentials
-	WS-TRUST and SAML to Access a Credential Validation Service
This suite of four documents provides a complete view on the
internals of authorization, and your contributions are welcome to
ensure that the documents reflect your needs.

As a follow-up to the Firewall Issues RG, a new working group
"Firewall Virtualization for Grid Applications" has been started to
standardize a set of service definitions for a virtualized control
interface into firewalls and other mid-boxes allowing the grid
applications to securely and dynamically request
application/workflow-specific services from those devices, for the
duration of the service.

The CA Operations WG, jointly with the IGTF, organises a full-day
workshop focussing on a wide range of authentication and identity
management issues. On the technical side these include the definition
of signing namespace constraints by relying parties, guidelines for
auditing CAs, authentication service profiles, and the profile
defining trust in higher-level CAs. More on the policy side, issues
such as risk assessment and incident response in the IGTF community,
and the management of revocation will be discussed. The Levels of
Authentication Assurance (LoA) RG merged with CAOPS in OGF23, with
the document "A Gap Analysis of Current LoA Definitions vs. LoA
Requirements in e-Science/Grid Context" available for discussion.

For the operational security side: have a look at the BoF on
Intrusion detection in Grid Computing for security issues in grid
computing networks and proposed the possible solutions using
Intrusion detection/prevention systems.

Lastly, you have probably realised that the vacant spot left by Blair
Dillaway as security AD (whose term ended in March) has still not
been filled. To remedy this very unfortunate situation, please think
hard about who you consider to be a suitable candidate (and that may
be yourself!), and contact the OGF NOMCOM or the chair Neil Chue Hong
directly. See http://www.ogf.org/nomcom/ for details about the NOMCOM
process and for an application form. A healthy security area and the
security activities in OGF merit a full complement of security ADs to
ensure continuity past 2009!

I hope to see many of you in Singapore.

       Best Regards, David Groep.

-- 
David Groep

** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **