[ogsa-wg] OGSA-AuthN-WG charter effort: the Seven Questions

[Alan Sill]

On Oct 23, 2006, at 9:29 PM, Hiro Kishimoto wrote:

> The Seven Questions
>
> 1. Is the scope of the proposed group sufficiently focused?

The scope of the proposed group is strictly limited to authentication  
technologies for use within grid services architectures.  As such, I  
believe it is sufficiently focused, although the relation to  
corresponding activities in authorization and in the activities of  
other work groups is important and clear.

> 2. Are the topics that the group plans to address clear and  
> relevant for
> the Grid research, development, industrial, implementation, and/or
> application user community?

Authentication is a key security step in any chain of grid services  
usage.  Up to now, most grid applications have either used no  
security (for testing purposes), a limited and often self-signed  
configuration again mostly for testing purposes, or have had to rely  
on pure deployment of X.509 technology infrastructures.  Some  
extensive community practice has grown up in the academic community,  
especially with regard to deployment at and between the large-scale  
national laboratories and universities on an international basis, and  
siloed implementations exist within industry, as well as some federal  
non-laboratory organizations.  It is a goal of this work group to  
document current practice and to extend the standards basis for  
development of AuthN technologies within all of the above  
communities.  Another significant output will be recommendations for  
future work in this area, taking into account all relevant  
technological development in this area.  Interoperability will also  
be an important factor, of course.

> 3. Will the formation of the group foster (consensus–based) work that
> would not be done otherwise?

Yes.  Several conversations on related technologies have sprung up  
naturally within segments of the affected communities, as described  
above.  The existence of an OGSA AuthN work group would allow  
concentration and coordination of these conversations and  
recommendations in a context that is explicitly connected to the  
overall OGSA standards effort.

> 4. Do the group’s activities overlap inappropriately with those of
> another OGF group or to a group active in another organization such as
> IETF or W3C? Has the relationship, if any, to the Open Grid Services
> Architecture (OGSA) been determined?

There is no other effort exclusively devoted to this task within  
OGSA.  Polling of the membership of other groups active in the  
authentication and authorization areas has resulted in strong support  
for the  idea of a specific OGSA effort.  Groups that have been  
polled include the following:

CA-Ops: Within the current OGF structure, this group is defined as an  
operations group responsible for Certificate Authority standards and  
participation.  It is the parent body (in a historical sense) of the  
IGTF described below.

International Grid Trust Federation (IGTF): an independent body  
comprised of three regional policy management authorities (PMAs) with  
membership consisting of grid certificate authority providers and (in  
some cases) relying parties with an interest in the operational  
policies and procedures of the CA providers.  The primary mechanism  
of operation of the IGTF is through the development and common  
accreditation of CAs against specific, detailed CP/CPS statements  
within the context of Authentication Profiles (APs); APs exist for  
"classic PKI" deployments as well as short-lived credential and  
experimental services.  Within the context of the IGTF PMA charters,  
interest has been growing in improving the variety and accessibility  
of grid authentication methods while retaining the ability to work  
with existing grid deployments with high security.

OGSA-AuthZ: This group is focused on authorization technologies.  A  
variety of useful documents has been successfully produced through  
various incarnations of this group to date.  Its membership is  
supportive of a corresponding OGSA-AuthN effort.

Shibboleth for Grids BoF: This BoF was held at GGF-18 and its  
activities are documented at the URL http://grid.ncsa.uiuc.edu/events/ 
ggf18-shib-bof/ for reference.  Although focused primarily on  
authorization, Shibboleth technologies are consumers of  
authentication information and a great deal of activity is being  
devoted to understanding the interaction between Shibboleth and the  
needs of grids.  The participants in the BoF mailing list are  
strongly supportive of an OGSA-AuthN effort.

> 5. Are there sufficient interest and expertise in the group’s topic,
> with at least several people willing to expend the effort that is  
> likely
> to produce significant results over time?

Yes.  A significant short-term effort should be exerted to identify  
authors of the proposed documents and a co-chair in the near future.

> 6. Does a base of interested consumers (e.g., application developers,
> Grid system implementers, industry partners, end-users) appear to  
> exist
> for the planned work?

Yes.  The BoF planned for the next OGF meeting should provide  
opportunities for organization of work in this area.

> 7. Does the OGF have a reasonable role to play in the determination of
> the technology?

Yes, as described above.  One specific output of the group that would  
be made possible by the OGF will be production of an OGF document  
with recommended standards for OGSA-AUthN.

Respectfully submitted,

Alan Sill
TIGRE Senior Scientist
High Performance Computing Center
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================