[OGSA-AUTHZ] OGSA-Authz-WG draft meeting minutes: OGF Jan 29 session
David Chadwick
d.w.chadwick at kent.ac.uk
Mon Jan 29 14:10:08 CST 2007
Von Welch wrote:
> Draft notes from today's OGSA-Authz WG meeting. Please send
> corrections or addition. In particular there were protocols referred
> to at a couple of points that need exact identification, which are
> marked with "XXX".
>
> Von
>
> ----
>
> * Preamble David brought meeting to order Circulated OGF IP sign-in
> sheet Von volunteers to scribe
>
> * Telecon Update
>
> Decision: Once every two months, we will take one of the OGSA-WG
> phone call slots to report to the larger community. Next date will be
> March 8th.
>
> Decision: Telecon dates February 13th March 7th April 3rd April 23rd
>
> * Functional Components Doc Latest version is Oct 24th version
> Outstanding issue: implications of carrying attributes and
> credentials within the same protocol or within different protocols
> [XXX pointer?]
"Functional Components of Grid Service Provider Authorisation Service
Middleware" available from
http://forge.gridforum.org/sf/go/doc13968?nav=1
> Outstanding issue: Id vs URL issued raised by Tom Scavo [XXX
> pointer?] Doc should then be ready for WG final call and progression
> to AD
>
> * Protocol Doc Updates Described 3 protocol 1) PEP-Context Handler:
> no profile proposed. Maybe the same as protocol #3 if credential
> equivalent to attributes.
if credentials can be carried in same field as attributes in the protocol.
> 2) Context Handler-CVS: WS-Trust profile, to be written
No its Available at
http://forge.gridforum.org/sf/go/doc9011?nav=1
> 3) Context Handler-PDP: proposal XACML request/response protocol
> proposed [Question raised regarding exactly which protocol is being
> referred to here. Concerns from Nate that this has been deprecated.
> XXX pointer?]
the current profile, available from
http://forge.gridforum.org/sf/go/doc13681?nav=1
in which the XACML request context is transported to the PDP in a SAML
request message.
Apparently this OASIS mechanism has been deprecated because it was
(wrongly) thought that no-one was using it. We thus may need to
reconsider this protocol and use a different wrapper to carry the XACML
contexts.
>
> * Takuyi Mori presentation on NAREGI Authz Service and NAREGI XACML
> profile Slides will be sent to the email list SAML 2.0 and XACML 2.0
> based Uses GT authz framework Profile between Authz service client
> (in GT4) and Authz CVS Handles VOMS AC's and passes to Authz service
> Presented mapping of attributes from X.509 EEC/VOMS AC into XACML
> Resource Attribute Filtering Mechanism (RAFM) - Reference properties,
> XACML profile has Subject, Resource and Action attributes
There is an issue as to how a resource's attributes are obtained by the
PEP. If the user submits them to the PEP there is a potential trust
issue here, and the attributes will need to validated by the CVS. If the
PEP obtains them itself from a local store this is not an issue.
>
> * VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning
> of the primary type must be explicit rather than implicit (as
> currently done via sequence) Awaiting response from VOMS group
>
> * Attribute Retrieval Protocol Added as last meeting OASIS profile
> for SAML - Tom Scavo author
>
> * Von Welch resignation as WG chair Those who are interesting in
> replacing Von should send email to David
>
> * Other business Tom Scavo: Do we need mechanism to bind SAML to
> X.509 (equivalent to VOMS)? David: 2005 X.509 has specification for
> binding XML to X.509, but doesn't specify XML content Tom Scavo to
> investigate how these relate.
David: VOMS is providing a standard SAML protocol interface for picking
up VOMS attributes. A beta is supposed to be ready by April 2007
regards
David
>
>
> -- ogsa-authz-wg mailing list ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list