[OGSA-AUTHZ] Latest profile specs

David Chadwick d.w.chadwick at kent.ac.uk
Wed Nov 28 12:38:29 CST 2007 

Hi Tom

thanks for your detailed comments. I am now updating the document to 
reflect them. Questions/comments that I want to make are:

i) why did you delete Identity Provider from being synonymous with 
Attribute Authority? If you think they are not technically equivalent 
can you say why.

ii) I suggest changing Credential to Authorisation Credential, because 
as you point out, Credentials are a superset of signed attribute assertions.

iii) concerning the word valid, in 'valid (authorisation) credential', 
it is not overloaded, since this definition is saying precisely what it 
means. It is in fact the equivalent in authorisation terms to that of a 
valid PKC in authentication terms.

iv) you ask how the CIS is different from an AA. They are clearly 
related. An AA is the authority behind the attribute assertions that are 
released, and it does not have to sign the attribute assertions that are 
issued. A CIS is a service of an AA, and it does have to sign the 
assertions. In the grid we are only interested with digitally signed 
tokens (not symmetrically encrypted ones, MACed ones, or unsigned ones). 
So we introduce the CIS to show that it is signed attribute assertions 
that we are concerned with, and the CIS is the service of the AA that 
does this. We also need to have the converse validation service to the 
issuing service, hence the CVS. If we replace CIS by AA, then we should 
also replace CVS, perhaps by AVS.

v) I think its useful to keep the MS STS terminology in the document 
since some readers may already be familiar with this concept, and it 
gives them a handle on our terminology. Its also good to relate 
different terms together when they are talking about the same conceptual 
entities. This helps people figure out how all these disparate terms fit 
together. (which is related to point i) above)

vi) you asked "You’ve used the terms “application independent 
component”, “application independent service”, and “application 
independent policy engine.” Can this new terminology be consolidated?" 
Clearly the policy engine is a subset of the possible services so I dont 
see any consolidation here. But we could replace component by service, 
so I have done this.

vii) You say about the text 'A user is issued with authorisation 
credentials by the Credential Issuing Service'  "This model description 
assumes that the presenter of the credentials is the subject". It wasnt 
meant to. It was meant to imply "Credentials are issued in which the 
user is the holder/subject" but not say anything about who the requestor 
or recipient of the credentials were. I have updated the text appropriately.

I will issue a new version soon

regards

David



Tom Scavo wrote:
> Attached is a modified version of the document "Functional Components
> of Grid Service Provider Authorisation Service Middleware."  I
> corrected a few things, mostly minor, but the bulk of my comments have
> to do with terminology.
> 
> Tom Scavo
> NCSA
> 
> On 10/31/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>> Dear All
>>
>> I have just uploaded the updated the XACML and WS-Trust specs as
>> described at the OGF21 meeting to source forge. I have also updated the
>> architecture document to reflect the latest changes. Pointers to the
>> latest 4 docs are in my other email to Tom. The next task is to
>> homogenise the terminology so that they use consistent terminology
>> throughout the entire set.
>>
>> regards
>>
>> David
>>
>> --
>>
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Skype Name: davidwchadwick
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick at kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>> --
>>   ogsa-authz-wg mailing list
>>   ogsa-authz-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list