[ogsa-wg] Fwd: [caops-wg] OGSA activity to cover authentication and identity provision roadmap
Alan Sill
Alan.Sill at ttu.edu
Thu Oct 5 09:19:17 CDT 2006
FYI -- this is typical of responses.
Alan
Begin forwarded message:
> From: David Groep <davidg at nikhef.nl>
> Date: October 5, 2006 6:54:42 AM CDT
> To: Alan Sill <Alan.Sill at ttu.edu>
> Cc: igtf-general at gridpma.org, Mailing List for CAOPS-WG <caops-
> wg at ogf.org>, gsmv at webapp.lab.ac.uab.edu, gridshib-beta at globus.org
> Subject: Re: [caops-wg] OGSA activity to cover authentication and
> identity provision roadmap
>
> Dear Alan, all,
>
> First of all, I would like to support this proposal, as it could
> indeed
> provide the focal point for harmonisation amongst the various
> activities in this area that have emerged both inside and those
> (still) outside OGF. Over the past year I feel we have come quite
> close
> to a kind of "common understanding" of what the issues are, and
> drafting
> a collective roadmap is IMHO a very timely activity.
>
> Of course, I can happily offer a timeslot during the upcoming
> EUGridPMA
> meeting to discuss this (of course also completely open to the
> world and
> community at large: join this part of the meeting via VRVS in
> the "Sky" virtual room, "Earth/Universe" community: www.vrvs.org).
> If the current planning is not optimal (this Friday, Oct 6,
> 11.00 AM CEST=UTC+2), it can also be delayed a few hours.
>
> As I see it, the BoF for this new WG could also address some issues
> I feel we currently have with the CAOPS charter and position with
> respect to other activities in OGF (both with CAOPS being seen as an
> "operations" activity, but even more importantly the possible
> conception
> that CAOPS is only about the operation of "traditional" X.509 CAs).
> In this respect, I would be highly interested in how others in CAOPS
> see the relationship between CAOPS and such a new group.
> Personally, I think also the IGTF as an operational policy
> coordination
> body, should have close relationships with both groups, especially
> as they are expanding into new authentication profile models.
>
> There is, however, also an increasing overlap between the
> activities in
> AuthN and AuthZ. The new federations of organisationally-based
> sources of authority supply attributes and assertions that are
> relevant for both: some attributes relate to what we have
> traditionally seen as authentication (unique names, their long-term
> binding to entities, and the way to prove identity), but others
> by the same source relate more to authorisation (roles, position in
> the organisation &c).
> In the long run there may be not that clear a division between the
> two, especially when multiple sources of authority are involved in
> a combined decision. But this combination of assertions, possibly
> with different assurance levels, and with different levels from
> different sources, will highlight the need to convey such assurance
> levels, and their recognition in policy decisions, in a harmonised
> formats and semantics.
> Will the AuthN roadmap address include such issues - which I
> think it certainly should - when these assertions relate to
> long-term "AuthN" attributes? Even of the actual assertions are
> more related to what we might now consider "AuthZ" (such as
> organisational role/position)? But that's probably something for
> the BoF to figure out (given sufficient participation from
> the OGSA-AuthZ folks).
>
> Lastly, I think we should advertise this BoF and our intentions
> widely, as there are very many related activities in this area,
> also outside OGF. In particular (with a slight European bias) there
> are the TERENA TF-EMC2 and TF-Mobility groups that to some extent
> rely on or aim for coordination in this domain; there is the
> eduGAIN activity (organised as part of the GEANT2 project); and
> the EuroCAMP meetings on federation (the next one in two weeks in
> Malaga, ES) are all highly relevant to this work. Many of
> our combined groups will attend at least a few of these meetings,
> and -- if we all agree OGSA-AuthN is a good idea -- should take the
> opportunity to get all relevant people around the table at OGF19.
>
>
> Best regards,
> DavidG.
>
>
> Alan Sill wrote:
>> I'd like to suggest to the CAOps and Grid CA community that we
>> attempt to pull together thoughts on grid identity authentication
>> in terms of a roadmap and/or BOF among interested parties,
>> focusing primarily on the AuthN side. This would be a complement
>> to the OGSA- AuthZ activity, which we could clearly call OGSA-AuthN.
>> I realize that we need another working group like, well, a whack
>> on the head, but I have thought about this one a lot and I think
>> that the OGSA process would bring a lot of rationalization to
>> the activities and effort that we are pursuing more or less
>> piecemeal in the search for a workable solution. Among things
>> that we could gain by having such an effort, we could include:
>> - Clear separation from OGSA-AuthZ while still allowing a strong
>> channel for communication
>> - Bringing together several different working groups who are all
>> working on identity provision (as opposed to authorization) for grids
>> - Providing for better communication between the OGSA roadmap and
>> CAOps practices
>> - Providing a context for working groups, such as the Bridge CA
>> and Shibboleth activities, to communicate their findings
>> - Placing OGSA-AuthN and OGSA-AuthZ on a similar footing
>> To follow through on this, I would like to have a brief discussion
>> in the IGTF portion of the upcoming EUGridPMA meeting, followed
>> by a similar discussion at the TAGPMA Novemvber face-to-face, and
>> of course encourage similar discussion at the APGridPMA meeting
>> this fall. Any decision to follow this path should be discussed
>> with the incoming area directors of the Security area within the
>> Open Grid Forum, along with specific details about the charter.
>> To make this happen, we could form a BOF to be held at the next
>> OGF conference in North Carolina in January, along the lines of
>> the recent "Shibboleth for Grids" one that we held at GGF 18,
>> with an aim to take on this topic as a roadmap activity directly.
>> Thought are extremely welcome and recruited. As a point of
>> background information, I have been discussing this idea among
>> the members of the overall OGSA-WG working group, and have found
>> many useful suggestions and an open reception to this idea. The
>> topic of a BOF as discussed above has been strongly encouraged.
>> Best,
>> Alan
>> Alan Sill
>> TIGRE Senior Scientist
>> High Performance Computing Center
>> TTU
>> ====================================================================
>> : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
>> : e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
>> ====================================================================
>> --
>> caops-wg mailing list
>> caops-wg at ogf.org
>> http://www.ogf.org/mailman/listinfo/caops-wg
>
>
> --
> David Groep
>
> ** National Institute for Nuclear and High Energy Physics, PDP/Grid
> group **
> ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB
> Amsterdam NL **
>
>
Alan Sill
TIGRE Senior Scientist
High Performance Computing Center
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
More information about the ogsa-wg
mailing list