[OGSA-AUTHZ] Implementations

Tom Scavo trscavo at gmail.com
Sat Mar 22 10:46:36 CDT 2008 

On Sat, Mar 22, 2008 at 11:32 AM, David Chadwick
<d.w.chadwick at kent.ac.uk> wrote:
>
>  we do a dis-service to people by specifying a standard which we know to
>  be deficient beforehand. This will cause even more delays in trying to
>  rectify it (consider for example the OGSA Authz SAML spec, GFD 66, which
>   was only found to be deficient after practical trials, and how long it
>  has taken to produce replacements).

I suppose that is why the OASIS process requires three attestations
(i.e., claims of successful implementation) before OASIS Standard
status can be put to the vote.

>  My suggestion would be to raise a ballot comment now on the current
>  OASIS draft, along with a proposed solution, so that this can be taken
>  into account in the revision.

I tend to agree (reluctantly).  What do others think?

Should the proposed solution require a <ds:KeyInfo> element and
disallow an X509SubjectName identifier, or should it be more lax?
That's really a tough call, I think.

>  If the process is anything like IETF or
>  ISO it should not cause too much of a delay.

Such a change requires that we start from scratch, including another
60-day public review.  The delay will be substantial.

>  Tom Scavo wrote:
>
>
> > On Sat, Mar 22, 2008 at 5:44 AM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>  >>  ...the inclusion of a "certificate" needs more elaboration. The
>  >>  inclusion for example of a user's public key certificate proves nothing
>  >>  more than the presence of a DN does, since it is publicly available and
>  >>  an untrustworth grid SP could send any PKC it wished, just as it can
>  >>  send any DN it wished. Therefore one needs to specify the properties of
>  >>  the certificate that are being transferred, which is, that the user is
>  >>  delegating to the grid SP to act on its behalf. A proxy certificate
>  >>  would do this, as would an attribute certificate.
>  >
>  > I totally agree.  Of course this requires a new attribute request
>  > handler at the Shib AA but then a new handler is required for a bare
>  > DN as well, so there's no additional penalty.  I don't know that much
>  > about the VOMS AA, but I'd be surprised if handling a full certificate
>  > turned out to be much of a problem for VOMS.
>  >
>  > We have a dilemma, however.  A formal ballot is currently underway to
>  > promote the OASIS SAML V2.0 Deployment Profiles for X.509 Subjects to
>  > Committee Specification status.  I fully expect this ballot to
>  > succeed.  The next step after Committee Specification is OASIS
>  > Standard (but this last step requires three attestations, which is
>  > unlikely).
>  >
>  > If we introduce a normative change to the profile such as we've been
>  > discussing, we essentially start over.  Presumably the profile could
>  > travel faster through committee this time around since the bulk of it
>  > has already been vetted, but a significant delay is inevitable.
>  >
>  > The other alternative is to specify this new extension of
>  > saml2:BaseIDAbstractType in our Attribute Exchange profile and leave
>  > the OASIS profile alone, flawed as it is.  A third alternative is to
>  > do nothing.
>  >
>  > I'm not sure what to recommend.  I'll let others comment on the
>  > appropriate course of action.
>  >
>  > Tom
>  >
>  >>  Tom Scavo wrote:
>  >>  >
>  >>  > Instead of *requiring* a DN, the name identifier in the query should
>  >>  > be generalized to accommodate the entire certificate (without
>  >>  > excluding the possibility of a naked DN in those situations where it
>  >>  > is warranted).  This can be done using <ds:KeyInfo>, something like
>  >>  > this:
>  >>  >
>  >>  > <saml:Subject>
>  >>  >  <saml:BaseID xsi:type="KeyIdentifierType">
>  >>  >    <ds:KeyInfo>...</ds:KeyInfo>
>  >>  >  </saml:BaseID>
>  >>  > </saml:Subject>
>  >>  >
>  >>  > where KeyIdentifierType is defined as follows:
>  >>  >
>  >>  > <complexType name="KeyIdentifierType">
>  >>  >  <complexContent>
>  >>  >   <extension base="saml:BaseIDAbstractType">
>  >>  >     <sequence>
>  >>  >       <element ref="ds:KeyInfo"/>
>  >>  >     </sequence>
>  >>  >   </extension>
>  >>  >  </complexContent>
>  >>  > </complexType>
>  >
>
>
>
> --
>
>  *****************************************************************
>  David W. Chadwick, BSc PhD
>  Professor of Information Systems Security
>  The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>  Skype Name: davidwchadwick
>  Tel: +44 1227 82 3221
>  Fax +44 1227 762 811
>  Mobile: +44 77 96 44 7184
>  Email: D.W.Chadwick at kent.ac.uk
>  Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>  Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
>  Entrust key validation string: MLJ9-DU5T-HV8J
>  PGP Key ID is 0xBC238DE5
>
>  *****************************************************************
>

More information about the ogsa-authz-wg mailing list