[OGSA-AUTHZ] Re: OGSA-AuthZ & OGSA-WG joint call
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Apr 4 09:26:36 CDT 2006
Hi Olle
Your comments are valid but you have misinterpreted my email to Hiro. My
replies are inline below
Olle Mulmo wrote:
>
> David,
>
> As AD in charge but also as WG member (well, at least close observer
> and provider of feedback) I feel a bit out of touch. But there are also
> some more serious process issues here.
>
> My take-home message from our last session in Athens was that we did
> not ratify the new charter (which includes the documents you mentioned
> below), but rather that we need to get the production grids in the loop
> to provide real-world minimum requirements for the next- generation of
> the specs, as that was regarded as a prerequisite.
>
This is correct. What we did not do at the meeting however, was place
any actions on anyone in particular to get the production grids into the
loop. So because of this, I am not sure who has taken this
responsibility onto themselves at the GGF level. Personnally I dont have
any contacts with international production grids, so I am not the best
person to do it.
In the UK, I have been trying to do this, in a new NoE that I have been
working on (you got a copy of this I believe, I am still waiting for
your comments :-).
> Since then, I haven't seen any action on the ogsa-authz mailing list
> and I assumed that other, non-GGF related, chores had taken overhand
> (as it often does for periods of time). But surely, the production of
> two ”nearly finished" documents ought to have generated at least some
> traffic
this is where you have misread my email. I said that I have nearly
finished a couple of docs, but I did not say that the docs were the
final versions to be ratified by the GGF, which is what you have
assumed. In fact the docs are meant to be the FIRST DRAFTS to be
discussd by the GGF. It is not possible to have meaningful discussions
until some strawman drafts are on the table for discussion, and that is
what we have been working on.
("FYI, I'm doing this, here's an early draft, tell me whether
> I'm on the right track or not") and not appear as a surprise to all of
> us close to the finish line. Or perhaps I'm misinterpreting your email?
Yes unfortunately you are. What we are preparing the first drafts to go
into the GGF process for discussion and revision.
>
> In any case, this WG _still_ does not have an approved charter, and we
> need to fix that. Badly.
Ok, lets talk about this offline
David
>
> /Olle
>
> On Apr 3, 2006, at 11:55, David Chadwick wrote:
>
>> Hi Hiro
>>
>> I am actually at the NIST PKI workshop in Washington this week, and
>> fly home on Thursday night. So I will be travelling from about
>> lunchtime on Thursday (Eastern Time).
>>
>> Here is an update for you. I have nearly finished a couple of docs to
>> present to the next GGF OGSA meeting to replace the current OGSA- SAML
>> profile. One is based on XACML and is a PDP-PEP interface. The other
>> is based on WS-Trust/SAML and is a PIP(CVS)-PEP interface. The
>> existing OGSA-SAML spec is an interface to a combinded PIP(CVS)/ PDP,
>> but as we know it has severe limitations.
>>
>> regards
>>
>> David
>>
>>
>> Hiro Kishimoto wrote:
>>
>>> Hi Alan, David, Von and Mary,
>>> Is it possible to have one hour joint call between OGSA-AuthZ WG
>>> and OGSA-WG next Thursday, April 6? OGSA-WG will have a F2F meeting
>>> next week in San Francisco Bay Area and Frank Siebenlist will lead
>>> this security session on Thursday.
>>> https://forge.gridforum.org/projects/ogsa-wg/document/2006Apr-OGSA-
>>> F2F-agenda I would like to proceed with our previous discussion in
>>> January.
>>> Please have a look into attached meeting minutes from Jan 19 joint
>>> call.
>>> If David can make it, we can talk 1-2pm PDT (= 9-10pm UK = 5-6am JST)
>>> same as January.
>>> Please let me know your availability and agenda items you want to
>>> discuss.
>>> Thanks in advance,
>>> ---------------------------------------------------------------------
>>> ---
>>> OGSA January 2006 Interim Meeting
>>> =================================
>>> Location: Sunnyvale, CA
>>> Date: 19/1/2006, afternoon
>>> * Attendees Hiro Kishimoto
>>> Dave Snelling
>>> Jem Treadwell
>>> Andreas Savva
>>> Fred Maciel
>>> Darren Pulsipher
>>> Chuck Spitx
>>> Fred Brisard
>>> Ravi Subramaniam
>>> Dave Berry
>>> Steve McGough
>>> Neil Chue Hong
>>> Takuya Mori
>>> Frank Siebenlist
>>> Jay Unger
>>> Bridge:
>>> Alan Sill
>>> David Chadwick Notes: Andreas Savva
>>> See also Security agenda ppt:
>>> https://forge.gridforum.org/projects/ogsa-wg/document/ogsa-
>>> security-session/en/1
>>> * Security - OGSA AuthZ joint discussion
>>> - "Use of SAML" document finished public comment with no comments
>>> - Many people have looked at it. One minor change and expect it
>>> to be published, but not sure when.
>>> - OGSI Authorization Requirements: 1 comment
>>> - Attributes ?
>>> - Charter revision
>>> - Looked at revised charter
>>> - Hiro explained procedure for getting approval: circulate within
>>> WG and if happy with level of support send to ADs; otherwise do
>>> a BoF.
>>> - New charter output: 2 new versions
>>> - Authorization document
>>> - (The attributes document is not mentioned)
>>> - The milestones are not clear.
>>> - Everyone is doing their own solution in the authorization area;
>>> no attempt to reach consensus on a common approach. Perhaps this
>>> is the reason why some of the docs received no comments. It is a
>>> problem but there is no solution.
>>> - There is real difficulty with getting buy-in from major grid
>>> projects. Even if they say ok on the charter it does not mean
>>> they will contribute actively.
>>> - Takuya has contacted NAREGI. Alan also asked about PRAGMA.
>>> Takuya agreed to contact PRAGMA as well.
>>> - There is a Grid Interop at the next GGF16. Alan unfortunately
>>> canot make GGF16.
>>> - Hiro's issue: how to combine security protocols (authorization)
>>> with service invocation?
>>> - Cannot tell people how to do authorization. Also do not want to
>>> create refined schemas because the semantics attached to the
>>> schema by different organizations may be different.
>>> - So focus not on attribute description but on the information
>>> about what are the required attributes by the services. (Analogy
>>> with card tokens; tokens are different but using a token may be a
>>> common point.)
>>> - Attribute information is dependent on the issuer. The proposal is
>>> not to try to map attributes between schemas but just to
>>> facilitate the exchange of what schemas are supported and can be
>>> used for authentication.
>>> - If no attribute mapping is attempted then cross-site auditing or
>>> logging isn't possible.
>>> - It is out of scope of OGSA AuthZ
>>> * Security - Review of Basic Security Profile -- Secure Channel
>>> - Just doing secure channel (point to point) and looking towards
>>> end-to-end (MLS) eventually. Performance of MLS is an issue. (Also
>>> need a way to describe policy and name entities and ...)
>>> - Note that this is point-to-point and not host-to-host.
>>> - There is a bigger problem that needs solving (...) and this
>>> [profile] is the first step towards that goal (a bootstrap step).
>>> - This profile says nothing about what is an authenticated
>>> entity. It may be a next step.
>>> Action: To add an example of how the keyinfo exchange (core) is used
>>> with the secure channel profile
>>> Action: Since Secure Channel should be composed with a Core it
>>> should not expose the BasicSecurity claim. Only Core should
>>> do that.
>>> Update and aim for a final call by the end of the month
>>> * Security - Review of Basic Security Profile - Core
>>> - 1.2: This profile is not extending the WS-I Basic Profile
>>> - 1.2: Generalize the statement discussing the security profiles
>>> that can be combined with this profile.
>>> - Agreed that this profile will not expose an anonymous channel
>>> claim URI. An anonymous channel profile should be defined as a
>>> separate document. - The important point is that it can be
>>> done with the current
>>> document structure. It may be left to the people who want it to
>>> actually do it.
>>> - Need to expose the extensibility elements in referenced specs
>>> - Need to address (at some point) how information on what features
>>> are required or supported.
>>> * Future plans
>>> Discussed plans for security design team and prioritized work:
>>> - 1 Work on a Security architecture
>>> - 2 How to combine security functions (security context) with
>>> functional interfaces.
>>> - 3 MLS profile
>>> - 4 Issues raised by OGSA-Data wg and collaboration
>>>
>>
>> --
>>
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick at kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: http://sec.cs.kent.ac.uk
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>>
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list