[ogsa-wg] Security Web Service Specifications

Nate Klingenstein ndk at internet2.edu
Wed Feb 28 13:26:03 CST 2007 

Tom,

Excellent questions.  Let me go a little bit into my personal views  
here.

I have been mentioning ID-WSF in a few different threads, but not  
because I have any particular fondness for the specification suite in  
particular.  It's the structure of three concepts that it supports  
that I think are of great importance:

1)  ID-WSF provides a way to describe in a security credential a  
location, protocol, and identifier to use to retrieve additional  
identity information/services associated with that credential.  My  
general philosophy is "push everything that you can, and if there's  
something you can't push, then push what's needed to pull it."  ID- 
WSF endpoint references in SAML tokens allow for that.
2)  The query service is close to what I would consider a  
generalization of the attribute authority.  It's a better place to  
end up at from an endpoint reference because it's more flexible:  
return the attributes if you have them, and if not, then point off  
towards other places.  It offloads from the SP the requirement to  
match attributes it needs to identity sources, which has the  
potential to customize that functionality per user and also help  
preserve privacy.
3)  The ability to treat the client device itself as a web service  
capable of acting (roughly) as a provider in specialized  
circumstances offers interesting delegation and client-generated  
credential possibilities.

I don't think the Shibboleth project has made any commitment towards  
or against ID-WSF at this point.  If we could replicate the pieces of  
functionality I describe above in an alternative way, I'd absolutely  
support that.  Those are the specific pieces of the Liberty  
specifications that I'm interested in and the places I'd use it.  I  
hope that addresses your first set of questions.

There are a lot of overlaps with the other specifications,  
particularly WS-Trust and WSRF.  I would be very interested in any  
suggestions you have about how to represent the functionality I refer  
to above using protocols or specs that are more amenable to Globus  
integration.

Very useful conversation,
Nate.

On 28 Feb 2007, at 18:49, Tom Scavo wrote:

> Hi Nate,
>
> Could you elaborate a little on where you think Liberty ID-WSF might
> integrate into the protocol stack?  Or maybe another way to put this
> is: What components of Liberty ID-WSF (which is huge!) do you think
> are relevant here?
>
> If Shibboleth chooses to align with Liberty, I think that's fine, but
> it's not at all clear to me how this impacts the Grid, and hence my
> questions above.  Speaking as a Globus developer, Liberty ID-WSF in
> Globus Toolkit (if that's what you're proposing) will be a hard sell
> since 1) Globus has already made significant investments in
> WS-Security and WS-SecureConversation, and 2) ID-WSF may be
> incompatible with WSRF (in their use of WS-Addressing, in particular).
>
> If you can shed any light on this issue, that would be great.
>
> Thanks,
>
> Tom Scavo
> NCSA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20070228/058a3279/attachment.html

More information about the ogsa-wg mailing list