[OGSA-AUTHZ] checkpointing the discussion on VO attributes

[Blair Dillaway]

Hi All,

What David stated is essentially correct.  It is really no more effort to charter a new group than to re-charter an existing group with new deliverables. The bar is the same and it is preferred this group wrap-up the chartered deliverables before we start on new work.

Also, the OGSA chairs have stated their concern that too many groups were chartered with OGSA in their title. They have asked that future authZ work not be rechartered under the OGSA name unless it meets their bar. That involves a dependency on core OGSA specs as I understand it.

Regards,
Blair

-----Original Message-----
From: ogsa-authz-wg-bounces at ogf.org [mailto:ogsa-authz-wg-bounces at ogf.org] On Behalf Of David Chadwick
Sent: Wednesday, February 06, 2008 5:56 AM
To: Valerio Venturi
Cc: ogsa-authz-wg at ogf.org
Subject: Re: [OGSA-AUTHZ] checkpointing the discussion on VO attributes

Hi Valerio

it seems like the preferred course of action by the ADs is for the
OGSA-Authz group to publish its existing specs then close down, and
another group be formed with a new charter to do longer term attribute,
obligation and other (yet to be decided) stuff.

Thats fine by me.

regards

David


Valerio Venturi wrote:
> Hi,
>
>
>
>>> > > Sounds good. Another similar issue has been issued here an there,
>>> > > defining XACML attributes and obligation needed for authorization
>>> > > services. What about including that too? This is something that
>>> those
>>> > > implenting authorization services are facing, as you know, and
>>> community
>>> > > consensus would be very important.
>>> > > Also, deciding that may help in sorting out one of the main
>>> concern with
>>> > > the current authz decision spec, that is, having or not having
>>> attribute
>>> > > and obligation definition in the profile.
>>> > > If we can be sure to have those defined in a separate document to be
>>> > > released soon, may be it's ok to remove them from the current spec.
>>> > > DavidC, what do you think about that?
>>>
>> > > As I have said all along, I think defining attributes and
>> obligations is > a long term project that will mature as more people
>> start to use them. I > dont think a quick fix spec is the correct
>> approach, because if it is > quick, it wont be complete, and if it is
>> complete it cannot be quick.
>>
> You're totally right, a quick fix spec is not what we need. Having
> a new group working on that seems to me going in the direction
> of more thought, complete documents, which is what we all would
> prefer.
>
>> > Therefore the approach that I have been advocating is a two step
>> one. A > quick first stab at a few core attributes and obligations
>> (either in an > existing doc so that a charter change is not needed)
>> or as a separate > doc (in which case a charter change or new WG is
>> needed) - I dont
> Honestly I've a mild opinion on that. Probably it would be cleaner to
> have separated docs, as someone in the WG suggested, but I don't have
> problems with having some attributes defined in the authz decision
> request spec, and definitely this is not a showstopper.
>
>> > actually mind which approach is taken. But I dont support the
>> creation > of a new WG, since this will only dilute the effort we
>> have, and it is
> I understood that the OGSA AuthZ WG is going to finish its work shortly
> after next OGF, or at least continuining at a minimum level, having the
> chartered docs in public comments. So I thought there wouldn't have been
> a big overlapping between the two WGs.
> Am I wrong?
> I implicitly suggested a change to the charter to include the attribute
> doc in my first mail, and my impression from talking with DavidG and
> Blair in the last momths is that they don't fell like changing the WG
> charter.
> Probably a clarification from the area directors on that is needed,
> since this is also related on how they see the future of the security
> area.
>
>
>> > likely to grow to include further topics (such as obligations  :-)
>> as one > sees fit. If one is concerned about the progress of the
>> current set of > Authz documents it is because very few people are
>> actually contributing > to them, and some that are working in the area
>> do not wish to actively > contribute.
>>
> I see your point, and I share your disappointment. But we cannot go
> chasing people and force them to commit. It's their choice, and either
> they're not interested in standards or they think it wasn't worth
> committing.
> As a condition for starting a new WG, we must have a real interest from
> the community. This means both time to commit, and implementation
> experience to share.
>
>> > After the first quick fix has been published then a much longer term
>> > project to produce a richer set can start. This longer term project
>> must > have an active dynamic set of attributes and obligations that
>> can be > added to as the need arises, rather like an IETF/IANA
>> registration > authority for well known ports. So it might be a web
>> page that publishes > this, rather than a paper document. It musn't be
>> a static set, of that I > am sure (I have enough experience of LDAP
>> schemas to know this)
>>
> Sounds good. I see you're the first to have ideas and attention in this
> topics. I think those things are worth a community effort, I don't mind
> what the name of the group is going to be.
>
> Valerio
>
>
>
>

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************
--
  ogsa-authz-wg mailing list
  ogsa-authz-wg at ogf.org
  http://www.ogf.org/mailman/listinfo/ogsa-authz-wg