[OGSA-AUTHZ] OGSA-Authz-WG meeting minutes v2: OGF Jan 29 session
Von Welch
vwelch at ncsa.uiuc.edu
Wed Feb 7 10:40:14 CST 2007
> p.s. can you upload the minutes to the forge. thanks
Done: https://forge.gridforum.org/sf/go/doc14221?nav=1
Von
On Feb 6, 2007, at 6:53 AM, David Chadwick wrote:
> Hi Von
>
> a footnote to the meeting is that at the CA Ops group meeting later
> in the week, Rachana presented the concept of an Assertion
> Validation Service for validating attribute assertions, and it was
> pointed out to her that this service is exactly the same as the CVS
> service documented by the Authz working group. The CA Ops group was
> given a pointer to the Authz working draft.
>
> regards
>
> David
>
> p.s. can you upload the minutes to the forge. thanks
>
>
> Von Welch wrote:
>> Here are the minutes with all corrections and comments that I have
>> seen.
>> Von
>> ----
>> * Preamble
>> David brought meeting to order
>> Circulated OGF IP sign-in sheet
>> Von volunteers to scribe
>> * Telecon Update
>> Decision: Once every two months, we will take one of the OGSA-WG
>> phone call slots to report to the larger community. Next date will
>> be March 8th.
>> Decision: Telecon dates
>> February 13th
>> March 7th
>> April 3rd
>> April 23rd
>> * "Functional Components of Grid Service Provider Authorisation
>> Service Middleware" available from
>> http://forge.gridforum.org/sf/go/doc13968?nav=1
>> Latest version is Oct 24th version
>> Outstanding issue: implications of carrying attributes and
>> credentials within the same protocol or within different protocols
>> Outstanding issue: Id vs URL issued raised by Tom Scavo:
>> http://www.ogf.org/pipermail/ogsa-authz-wg/2006-November/000242.html
>> Doc should then be ready for WG final call and progression to AD
>> * Protocol Doc Updates
>> Described 3 protocol
>> 1) PEP-Context Handler: no profile proposed. Maybe the same as
>> protocol #3 if credentials can be carried in same field as
>> attributes in the protocol.
>> 2) Context Handler-CVS: WS-Trust profile:
>> http://forge.gridforum.org/sf/go/doc9011?nav=1
>> 3) Context Handler-PDP: proposal XACML request/response protocol
>> proposed:
>> the current profile, available from
>> http://forge.gridforum.org/sf/go/doc13681?nav=1
>> in which the XACML request context is transported to the PDP in a
>> SAML
>> request message.
>> Apparently this OASIS mechanism has been deprecated because it was
>> (wrongly) thought that no-one was using it. We thus may need to
>> reconsider this protocol and use a different wrapper to carry the
>> XACML
>> contexts.
>> * Takuya Mori presentation on NAREGI Authz Service and NAREGI
>> XACML profile
>> Slides: http://forge.gridforum.org/sf/go/doc14166?nav=1
>> SAML 2.0 and XACML 2.0 based
>> Uses GT authz framework
>> Profile between Authz service client (in GT4) and Authz CVS
>> Handles VOMS AC's and passes to Authz service
>> Presented mapping of attributes from X.509 EEC/VOMS AC into XACML
>> Resource Attribute Filtering Mechanism (RAFM) - Reference properties,
>> XACML profile has Subject, Resource and Action attributes
>> There is an issue as to how a resource's attributes are obtained
>> by the
>> PEP. If the user submits them to the PEP there is a potential trust
>> issue here, and the attributes will need to validated by the CVS.
>> If the
>> PEP obtains them itself from a local store this is not an issue.
>> * VOMS profile
>> Discussed on Oct 16 telecon - minutes on list
>> Meaning of the primary type must be explicit rather than implicit
>> (as currently done via sequence)
>> Awaiting response from VOMS group
>> Valerio: What we haven't understood so far is why an explicit
>> primary attribute
>> is needed rather then an implicit one and what needs an eventual
>> change
>> in VOMS AC format would address. [Discussion continued on ogsa-
>> authz email list]
>> * Attribute Retrieval Protocol
>> Added as last meeting
>> OASIS profile for SAML - Tom Scavo author
>> * Von Welch resignation as WG chair
>> Those who are interesting in replacing Von should send email to David
>> * Other business
>> Tom Scavo: Do we need mechanism to bind SAML to X.509 (equivalent
>> to VOMS)? (https://spaces.internet2.edu/display/GS/X509BindingSAML)
>> David: 2005 X.509 has specification for binding XML to X.509, but
>> doesn't specify XML content
>> Tom Scavo to investigate how these relate.
>> David: VOMS is providing a standard SAML protocol interface for
>> picking
>> up VOMS attributes. A beta is supposed to be ready by April 2007
>> (Valerio: That's correct David. The protocol is that in SAML V2.0
>> Profiles for X.509 Subject as agreed. We are about to work on the
>> implementation of the protocol and we will eventually inform Tom
>> and the authors about any issue we may have. Hope it won't be too
>> late by that time but we couldn't make it before.) (Later in
>> email Tom directs to http://www.oasis-open.org/committees/
>> download.php/21568/ sstc-saml2-profiles-deploy-x509-draft-01.pdf)
>> --
>> ogsa-authz-wg mailing list
>> ogsa-authz-wg at ogf.org
>> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>
More information about the ogsa-authz-wg
mailing list