[OGSA-AUTHZ] OGSA-Authz-WG draft meeting minutes: OGF Jan 29 session

David Chadwick d.w.chadwick at kent.ac.uk
Mon Jan 29 14:10:08 CST 2007 


Von Welch wrote:
> Draft notes from today's OGSA-Authz WG meeting. Please send 
> corrections or addition. In particular there were protocols referred
>  to at a couple of points that need exact identification, which are
>  marked with "XXX".
> 
> Von
> 
> ----
> 
> * Preamble David brought meeting to order Circulated OGF IP sign-in
> sheet Von volunteers to scribe
> 
> * Telecon Update
> 
> Decision: Once every two months, we will take one of the OGSA-WG 
> phone call slots to report to the larger community. Next date will be
>  March 8th.
> 
> Decision: Telecon dates February 13th March 7th April 3rd April 23rd
> 
> * Functional Components Doc Latest version is Oct 24th version 
> Outstanding issue: implications of carrying attributes and 
> credentials within the same protocol or within different protocols 
> [XXX pointer?]

"Functional Components of Grid Service Provider Authorisation Service
Middleware" available from

http://forge.gridforum.org/sf/go/doc13968?nav=1

> Outstanding issue: Id vs URL issued raised by Tom Scavo [XXX
> pointer?] Doc should then be ready for WG final call and progression
> to AD
> 
> * Protocol Doc Updates Described 3 protocol 1) PEP-Context Handler:
> no profile proposed. Maybe the same as protocol #3 if credential
> equivalent to attributes.

if credentials can be carried in same field as attributes in the protocol.

> 2) Context Handler-CVS: WS-Trust profile, to be written

No its Available at

http://forge.gridforum.org/sf/go/doc9011?nav=1

> 3) Context Handler-PDP: proposal XACML request/response protocol 
> proposed [Question raised regarding exactly which protocol is being
>  referred to here. Concerns from Nate that this has been deprecated.
>  XXX pointer?]

the current profile, available from
http://forge.gridforum.org/sf/go/doc13681?nav=1

in which the XACML request context is transported to the PDP in a SAML
request message.

Apparently this OASIS mechanism has been deprecated because it was
(wrongly) thought that no-one was using it. We thus may need to
reconsider this protocol and use a different wrapper to carry the XACML
contexts.

> 
> * Takuyi Mori presentation on NAREGI Authz Service and NAREGI XACML
>  profile Slides will be sent to the email list SAML 2.0 and XACML 2.0
> based Uses GT authz framework Profile between Authz service client
> (in GT4) and Authz CVS Handles VOMS AC's and passes to Authz service 
> Presented mapping of attributes from X.509 EEC/VOMS AC into XACML 
> Resource Attribute Filtering Mechanism (RAFM) - Reference properties,
>  XACML profile has Subject, Resource and Action attributes

There is an issue as to how a resource's attributes are obtained by the
PEP. If the user submits them to the PEP there is a potential trust
issue here, and the attributes will need to validated by the CVS. If the
PEP obtains them itself from a local store this is not an issue.

> 
> * VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning
> of the primary type must be explicit rather than implicit (as 
> currently done via sequence) Awaiting response from VOMS group
> 
> * Attribute Retrieval Protocol Added as last meeting OASIS profile
> for SAML - Tom Scavo author
> 
> * Von Welch resignation as WG chair Those who are interesting in
> replacing Von should send email to David
> 
> * Other business Tom Scavo: Do we need mechanism to bind SAML to
> X.509 (equivalent to VOMS)? David: 2005 X.509 has specification for
> binding XML to X.509, but doesn't specify XML content Tom Scavo to
> investigate how these relate.

David: VOMS is providing a standard SAML protocol interface for picking
up VOMS attributes. A beta is supposed to be ready by April 2007

regards

David

> 
> 
> -- ogsa-authz-wg mailing list ogsa-authz-wg at ogf.org 
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list