[OGSA-AUTHZ] checkpointing the discussion on VO attributes

David Chadwick d.w.chadwick at kent.ac.uk
Wed Feb 6 07:55:55 CST 2008 

Hi Valerio

it seems like the preferred course of action by the ADs is for the 
OGSA-Authz group to publish its existing specs then close down, and 
another group be formed with a new charter to do longer term attribute, 
obligation and other (yet to be decided) stuff.

Thats fine by me.

regards

David


Valerio Venturi wrote:
> Hi,
> 
> 
> 
>>> > > Sounds good. Another similar issue has been issued here an there,
>>> > > defining XACML attributes and obligation needed for authorization
>>> > > services. What about including that too? This is something that 
>>> those
>>> > > implenting authorization services are facing, as you know, and 
>>> community
>>> > > consensus would be very important.
>>> > > Also, deciding that may help in sorting out one of the main 
>>> concern with
>>> > > the current authz decision spec, that is, having or not having 
>>> attribute
>>> > > and obligation definition in the profile.
>>> > > If we can be sure to have those defined in a separate document to be
>>> > > released soon, may be it's ok to remove them from the current spec.
>>> > > DavidC, what do you think about that?
>>>     
>> > > As I have said all along, I think defining attributes and 
>> obligations is > a long term project that will mature as more people 
>> start to use them. I > dont think a quick fix spec is the correct 
>> approach, because if it is > quick, it wont be complete, and if it is 
>> complete it cannot be quick.
>>   
> You're totally right, a quick fix spec is not what we need. Having
> a new group working on that seems to me going in the direction
> of more thought, complete documents, which is what we all would
> prefer.
> 
>> > Therefore the approach that I have been advocating is a two step 
>> one. A > quick first stab at a few core attributes and obligations 
>> (either in an > existing doc so that a charter change is not needed) 
>> or as a separate > doc (in which case a charter change or new WG is 
>> needed) - I dont   
> Honestly I've a mild opinion on that. Probably it would be cleaner to
> have separated docs, as someone in the WG suggested, but I don't have
> problems with having some attributes defined in the authz decision
> request spec, and definitely this is not a showstopper.
> 
>> > actually mind which approach is taken. But I dont support the 
>> creation > of a new WG, since this will only dilute the effort we 
>> have, and it is   
> I understood that the OGSA AuthZ WG is going to finish its work shortly
> after next OGF, or at least continuining at a minimum level, having the 
> chartered docs in public comments. So I thought there wouldn't have been 
> a big overlapping between the two WGs.
> Am I wrong?
> I implicitly suggested a change to the charter to include the attribute
> doc in my first mail, and my impression from talking with DavidG and
> Blair in the last momths is that they don't fell like changing the WG
> charter.
> Probably a clarification from the area directors on that is needed,
> since this is also related on how they see the future of the security
> area.
> 
> 
>> > likely to grow to include further topics (such as obligations  :-)  
>> as one > sees fit. If one is concerned about the progress of the 
>> current set of > Authz documents it is because very few people are 
>> actually contributing > to them, and some that are working in the area 
>> do not wish to actively > contribute.
>>   
> I see your point, and I share your disappointment. But we cannot go
> chasing people and force them to commit. It's their choice, and either
> they're not interested in standards or they think it wasn't worth 
> committing.
> As a condition for starting a new WG, we must have a real interest from
> the community. This means both time to commit, and implementation
> experience to share.
> 
>> > After the first quick fix has been published then a much longer term 
>> > project to produce a richer set can start. This longer term project 
>> must > have an active dynamic set of attributes and obligations that 
>> can be > added to as the need arises, rather like an IETF/IANA 
>> registration > authority for well known ports. So it might be a web 
>> page that publishes > this, rather than a paper document. It musn't be 
>> a static set, of that I > am sure (I have enough experience of LDAP 
>> schemas to know this)
>>   
> Sounds good. I see you're the first to have ideas and attention in this
> topics. I think those things are worth a community effort, I don't mind
> what the name of the group is going to be.
> 
> Valerio
> 
> 
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list