[ogsa-wg] Notes from OGSA EAP call 06/18

[Duane Merrill]

Attendees:

Mark Morgan (UVa)
Duane Merrill (UVa)
Blair Dillaway (Microsoft)
Steven Newhouse (Microsoft)
David Chadwick (Kent U)
Chris Kantarjiev (Oracle)
Hiro Kishimoto (Fujitsu)
ZackK

Agenda Items:

- Present the transition of these documents to target the 
WS-SecurityPolicy grammar (Duane Merrill)
- Address any relevant trackers (Duane Merrill)

Duane gave an overview of the transition from a Liberty-like security 
policy assertion mechanism for EPRs to a WS-SecurityPolicy based 
scheme.  Ran through an example contained in all three profile documents 
that addresses components from each (Addressing, Transport, SOAP messaging).

Discussion on whether or not to consolidate profile documents into one 
document.  Pros: less "pointer chasing" to read.  Cons: what to do about 
partial compliance, how to effect partial derivation for 
as-yet-to-be-created subprofiles, monolithic document paradigm inviting 
more policy-related complexity (such as AuthZ requirements).  General 
consensus is to keep orthogonal ERP security profiling separate, 
lightweight.

Discussion (spurred by comments from Frank, David, I believe) about 
adding/profiling mechanism for expressing AuthZ policy requirements 
(beyond simple credential/token-type statements), such as "You must be 
able to present a SAML token asserting your membership in group XYZ".  
While useful, consensus was that this type of profiling for EPR authZ 
policy should go into a separate profile for which separate conformance 
claims can be made.

Because the documents were published earlier that afternoon, Duane 
recommended to the group that everyone review them and followup with 
discussion on the OGSAWG mailing list.


____________________
Duane Merrill
dgm4d at cs.virginia.edu
Computer Science Department
University of Virginia