[OGSA-AUTHZ] Revised Charter

Fri Apr 21 18:03:03 CDT 2006

David,

I've reviewed the proposed charter and have a few concerns:
(1) the definition of what are considered in-scope authorization components seems imprecise
(2) the proposed two-phased approach, with an interim charter revision, is in conflict with other statements in the charter
(3) an authorization architecture is presumed by the charter while calling out an architectural specification as a deliverable

Let me try to briefly describe what concerns me in each area.

(1) The charter states the purpose is to define specifications needed to support interoperability and pluggability of authorization components. That is a reasonable objective, but the discussion that follows seems to go beyond what would traditionally be considered authorization. It seems to indicate that authentication (CVS credential validation and trust assessment), SAML authentication token profiles; attribute schema communication, and some types of security protocols are all in-scope. Its unclear to me if some aspects of identity management systems and security policy management/provisioning systems are also intended to be in-scope. I suggest including a brief background section, which identifies the major functional components needed in a complete Grid security solution: identity management; policy management; secure communications; authentication; authorization; audit (aka accounting);.... I hope we could clearly indicate which of those functional components are in-scope and which aren't.

(2) The charter states the initial deliverables of the group will include a scenarios and requirements document along with a revised charter based upon that work. That seems like a prudent approach to ensuring the usefullness of standards ultimately developed by the group. But, I can't reconcile that statement with the earlier statement "an early deliverable of the group will be an enhanced specification for the PEP-PDP interactions....".

This, and the lengthy list of tentative documents, leaves me uncertain if the OGSA-Authz charter is intended to be very broadly scoped, allowing a number of different specifications to be developed, or to charter work on individual specifications. If it's the former, I suggest re-writing the charter to focus more on defining the overall scope and addressing how the individual specfication activities will be managed. The list of 'tentative documents' doesn't really belong in such a charter. If it's the latter, perhaps this should be separated into two more focused charters for the 'initial' and 'early' deliverables identified in the current document.

(3) It is stated "the group will also provide an architecture document..." and later that one of the 'tentative documents' is a 'high level authorization architecture'. I believe this is an important document for focusing and relating the other specifications mentioned in the charter. But, is this a chartered activity, or is it dependent on the revised charter?

Its also stated the initial scenario and requirements work should drive this document. At the same time, the charter clearly presumes an authorization architecture for the various documents discussed. For example, the PEP, PDP, and CVS separation. Some exisitng systems conform to this architecture, others don't. The charter should clearly state if the activities are constrained by this architecture or if alternative architectures are in-scope.

I also suggest the 'desired' document "Implementers of the Authz infrastructures and the protocols specified by this group should specify how their implementations map into the concepts documented in the architecture document..." should be a requirement. Without this, it can be very difficult to understand how individual specifications relate and are expected to interface.

------

On a related issue, could you clarify if the recent draft specification submitted for comment (XACML profile and WS-TRUST/SAML profile) are being proposed as deliverables under the OGSA-Authz WG or some other WG?

Regards,
Blair Dillaway

> -----Original Message-----
> From: owner-ogsa-authz at ggf.org
> [mailto:owner-ogsa-authz at ggf.org] On Behalf Of David Chadwick
> Sent: Wednesday, April 19, 2006 3:39 AM
> To: ogsa Authz
> Subject: [OGSA-AUTHZ] Revised Charter
>
> Dear authz members
>
> please find attached an updated version of the charter for
> ratification at the next GGF meeting.
>
> If you have any comments on this charter please raise them on
> the list or at the next meeting in Tokyo, where I hope to get
> it ratified.
>
> Finally, can I ask for volunteers to start work on the
> authorisation scenarios and use cases document. There must be
> many of you on the list who already have great experience of
> implementing or integrating authorisation mechanisms into
> your grid applications and know the scenarios that you are
> working with, and the authorisation features that you
> require. So it should not be difficult for you to write these
> down on one or two sides of A4. I am happy to act as editor
> and to coordinate your input into the GGF output document.
>
> I look forward to seeing you in Tokyo
>
> regards
>
> David
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security The Computing
> Laboratory, University of Kent, Canterbury, CT2 7NF
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk Entrust key
> validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>
>