[ogsa-wg] Security Web Service Specifications
Nate Klingenstein
ndk at internet2.edu
Wed Feb 28 13:26:03 CST 2007
Tom,
Excellent questions. Let me go a little bit into my personal views
here.
I have been mentioning ID-WSF in a few different threads, but not
because I have any particular fondness for the specification suite in
particular. It's the structure of three concepts that it supports
that I think are of great importance:
1) ID-WSF provides a way to describe in a security credential a
location, protocol, and identifier to use to retrieve additional
identity information/services associated with that credential. My
general philosophy is "push everything that you can, and if there's
something you can't push, then push what's needed to pull it." ID-
WSF endpoint references in SAML tokens allow for that.
2) The query service is close to what I would consider a
generalization of the attribute authority. It's a better place to
end up at from an endpoint reference because it's more flexible:
return the attributes if you have them, and if not, then point off
towards other places. It offloads from the SP the requirement to
match attributes it needs to identity sources, which has the
potential to customize that functionality per user and also help
preserve privacy.
3) The ability to treat the client device itself as a web service
capable of acting (roughly) as a provider in specialized
circumstances offers interesting delegation and client-generated
credential possibilities.
I don't think the Shibboleth project has made any commitment towards
or against ID-WSF at this point. If we could replicate the pieces of
functionality I describe above in an alternative way, I'd absolutely
support that. Those are the specific pieces of the Liberty
specifications that I'm interested in and the places I'd use it. I
hope that addresses your first set of questions.
There are a lot of overlaps with the other specifications,
particularly WS-Trust and WSRF. I would be very interested in any
suggestions you have about how to represent the functionality I refer
to above using protocols or specs that are more amenable to Globus
integration.
Very useful conversation,
Nate.
On 28 Feb 2007, at 18:49, Tom Scavo wrote:
> Hi Nate,
>
> Could you elaborate a little on where you think Liberty ID-WSF might
> integrate into the protocol stack? Or maybe another way to put this
> is: What components of Liberty ID-WSF (which is huge!) do you think
> are relevant here?
>
> If Shibboleth chooses to align with Liberty, I think that's fine, but
> it's not at all clear to me how this impacts the Grid, and hence my
> questions above. Speaking as a Globus developer, Liberty ID-WSF in
> Globus Toolkit (if that's what you're proposing) will be a hard sell
> since 1) Globus has already made significant investments in
> WS-Security and WS-SecureConversation, and 2) ID-WSF may be
> incompatible with WSRF (in their use of WS-Addressing, in particular).
>
> If you can shed any light on this issue, that would be great.
>
> Thanks,
>
> Tom Scavo
> NCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20070228/058a3279/attachment.html
More information about the ogsa-wg
mailing list