[OGSA-AUTHZ] Obligations handling

David Chadwick d.w.chadwick at kent.ac.uk
Mon Dec 10 04:59:09 CST 2007 

Hi Yuri

in your implementation report you said that you were proposing to handle 
obligations differently to that proposed in the OGSA Authz XACML spec. 
Given that this is based on XACML's obligation handling, could you 
please let the group know how you propose to do it differently.

Concerning the chronicle attribute, which was in an early draft of the 
Authz spec, but is not in the OASIS XACML spec, I discussed this with 
members of the XACML group, who suggested that it could be incorporated 
into the URL, thereby remaining conformant to the XACML standard, but 
potentially increasing the number of URLs significantly. During this 
discussion it was clear that the XACML group itself had not reached a 
concensus on the best way to handle the timing of obligations, and some 
of the group actually supported the inclusion of a chronicle attribute. 
Others thought timing might need to be more complex still. So it is 
likely that the XACML group may update their spec in the future in order 
to better handle the timing of obligations

regards

David


Yuri Demchenko wrote:
> Hi David and WG,
> 
> I can report about implementing all currently proposed documents which
> we consider an important basis for interoperability. Our implementations
> are at different stages but architecturally confirms to the "Functional
> Components of Grid Service Provider Authorisation Service Middleware"
> document.
> 
> Profile being implemented: XACML Request Context to Obtain an
> Authorization Decision
> Organisation doing the implementation: System and Network Engineering
> (SNE) Group, University of Amsterdam
> Contact details: Yuri Demchenko <demch at science.uva.nl>
> Short description: GAAA Toolkit
> Target project Phosphorus (EU-IST), AAA/AuthZ infrastructure for
> multidomain Network Resource Provisioning (NRP).
> Comment: Current implementation uses different model and semantics for
> Obligations handling, use of the "chronicle" may be considered.
> 
> 
> Profile being implemented: OGSA Attribute Exchange Profile
> Organisation doing the implementation: System and Network Engineering
> (SNE) Group, University of Amsterdam
> Contact details: Yuri Demchenko <demch at science.uva.nl>
> Short description: GAAA Toolkit
> Target project Phosphorus (EU-IST), AAA/AuthZ infrastructure for
> multidomain Network Resource Provisioning (NRP) that needs to use
> different attributes local to a network/resource domain.
> 
> 
> Profile being implemented: Use of WS-Trust and SAML to access a CVS
> (partly, credentials push model)
> Organisation doing the implementation: System and Network Engineering
> (SNE) Group, University of Amsterdam
> Contact details: Yuri Demchenko <demch at science.uva.nl>
> Short description: Token Validation Service (TVS), component of the GAAA
> Toolkit.
> Target project Phosphorus (EU-IST), AAA/AuthZ infrastructure for
> multidomain Network Resource Provisioning (NRP), token-based
> policy/authorisation decision enforcement to access the reserved network
> resource.
> 
> Some implementation and development plans and results may be reported
> later for the gLite Java AuthZ Service (gJAF) but it will depend on the
> progress.
> 
> Regards,
> 
> Yuri
> 
> 
> 
> David Chadwick wrote:
>> I would like to draw up a table of implementations of the 3 protocol 
>> profile docs that we have published (XACML, WS-Trust and SAML AA).> 
>>
>> Profile being implemented:
>> Organisation doing the implementation:
>> Contact details:
>> Short description:
>>
>> (the latter to contain such things as status of implementation, any 
>> interworking carried out, where software might be obtained etc. Whatever 
>> you feel is appropriate for the WG)
>>
> 
> 
> 
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list