[ogsa-wg] Minutes of OGSA-WG Security session 2007-05-31

Alan Sill Alan.Sill at ttu.edu
Thu May 31 09:15:31 CDT 2007 

Here are the minutes of OGSA-WG Security call 2007-05-31, 8:00 - 9:00  
am CDT.

Hiro, can you adjust the list of attendees as necessary?

Thanks,
Alan

Minutes of OGSA Security session

Attendees:
Jack
Andrew Grimshaw
Duane Merrill
Mark Morgan
Chris
Alan Sill
Frank Siebenlist
Hugo Mills

Minutes approval
    - Apr. 23: https://forge.gridforum.org/sf/go/doc14410
    - OGF20:   https://forge.gridforum.org/sf/go/doc14473
    - F2F AuthZ: https://forge.gridforum.org/sf/go/doc14536

-- Approved as posted

Action Item review
     *  AI-0409b: Liberty spec statements on EPRs (compatibility or  
intent vs OGSA BSP) should be checked; are these true and is there  
some difference in interpretation that is unresolvable? - Duane will  
do an initial review to be discussed on the April 23 teleconference

-- Duane concludes that the language and policies are not  
inconsistent, but  not wire compatible.  Liberty is not only an EPR  
provider, but also authentication service.  We have not profiled such  
an implementation, but observe that the schemas are different and  
will require different parsing.  At this level, they are not  
compatible as different implementations of a standard might be, but  
are not incompatible in concept.  There is no equivalent to some  
Liberty ideas in terms of use of identity as a client in what we have  
profiled so far.  There is also a difference in semantics that Duane  
regards as a deficiency in that security mechanisms used to transport  
the message-level content are limited to single strings in Liberty  
EPRs.  The different URI components referenced are not as flexible as  
the Secure Addressing profile.

Andrew refers to a mesage sent out March 20 by Duane (he will refresh  
this reference with a new e-mail shortly) and proposes closing this  
action item.  This was agreed.  Note the discussion can be moved to  
the tracker item on this topic.

2) Use case document and profile review

Andrew noted comments made by by Alan regarding discoverability and  
service requirement description features and indicated that these are  
or will be addressed in the OGSA Security Profile 2.0 - Secure  
Addressing document.  He displayed this document, which is on the  
repository, on Glance for discussion.  This covers usage of EPRs that  
are descriptive, and allow the client to know what it needs to do to  
talk to a given service.  The heart of the document is in he  
definition of hte security context in section 4.  The security  
contacts go into the metadata piece in the EPR.  An example is given  
in the document (see XML beginning with  
"<secaddr:SecurityContext>...").  The example given in the document  
describes a service that expects transport-level X.509, as is common  
practice now, followed by message-leel security for some portion of  
the transaction.  In this particular case, it also says how you would  
expect to authenticate.  The "contexts" allow you to define items  
that can be described in later profiles.

 From a process point of view, Andrew wanted to address a few  
comments received so far at this point.  The trackers are the ones in  
GridForge in the OGSA-WG by Hiro for these items (see  
forge.gridforge.org and navigate to OGSA-WG then Trackers to get  
there).  Under "Addressing" there are a couple of specific items that  
need to be dealt with at this point:

   - A comment was made by Hiro that WS-SecurityPolicy has a  
mechanism for describing how to do such descriptions, but not where.   
Andrew responded that this has been slow to converge, and is more  
general than what we are trying to accomplish here.  Progress is  
being made on that front (i.e., SecurityPolicy) and Duane has been  
studying the draft spec, but the intent here is more specific and  
aimed to be quicker.  We may have to redraft the OGSA work once the  
WS-SecurityPolicy work is complete, but it is not clear yet how or  
when.  The syntax of the schemas are likely to be different once the  
OASIS work is complete.  (See www.oasis-open.org for further details  
on this progress -- look for the ws-wx TC public documents.)  Andrew  
proposes an action item to look into this in detail and see if an  
early recast of our work can be made based on the current status of  
Ws-SecurityPolicy.  Alan noted from the Glance session that an use  
case examples document has recently been posted in WS-SX (May 15)  
that may be useful.

   - Another comment was made by Hiro that use of a MUST ought to  
appear in the profile documents for security contexts, i.e. "A  
provider MUST support one of the following..."  No one seems to own  
this comment, which had come up in the face-to-face meeting.  Some  
discussion with Frank followed, in which the necessity to avoid an  
empty security context was pointed out.  Andrew was concerned that  
any specific limitation will necessarily lose some portion or other  
of the community, and he, Alan and Frank agreed that what is  
necessary is for a given community to specify its accepted set of  
authentication mechanisms and be able to discover, advertise and  
select inclusion of services based on conformance with their desired  
set.  Section 4.4 of the Secure Addressing document fives an example  
of such use.

Comments were made at this point that the Secure Addressing profile  
becomes more of a meta-profile when viewed in this context.   
Interoperability is then expected to be provided in the derived  
profiles for particular security authentication mechanisms (TLS, X. 
509, etc.).  Frank pointed out that this introduces another layer,  
and in this sense is not a true profile in and of itself in the sense  
that it could ensure ineroperability, but Duane and Andrew and Alan  
felt that  the existence of this layer is in fact essential for  
ultimate interoperability.  After discussion, this was agreed to and  
the comment was closed as "resolved."

   - Would this make the OGSA BSP and SP secure channel obsolete?   
Andrew believes that it will, once complete.  Both intend to put key  
information into the EPR.  The combination of Secure Addressing and  
specification of the transport (by the Secure Transport document)  
will eventually supply a key set that will supersede BSP and secure  
channel for the reason that the BSP core does not provide all of the  
features described here.

The comment was closed with notations made by Andrew to this effect.

Next call in this series will be on June 18 (Monday) 6 pm Eastern.


Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

More information about the ogsa-wg mailing list