[ogsa-wg] Updated Express AuthN Profile docs

Tue Jul 3 20:13:19 CDT 2007

Hi Chris and Bill,

Thank you very much for your notes.

Based on the discussion we've had July 2 call, Andrew is now collecting
*real* Kerberos use case. We would very much appreciate if you could
give us ones.

Draft minutes from July 2nd.
> - A question for the group: Would it be a good idea to also profile a Kerberos
> message-level binding assertion policy within the OGSA-SPSecureSoapMessaging
> profile? The document currently profiles X.509 and
> Username Token binding policies, primarily because of their widespread use /
> ease-of-adoption. Thoughts?
> o Technically reasonable – potential warning of complications when trying
> to merge capabilities (scope creep). However suggest that if your service
> requires Kerberos, then the profile would state how a Kerberos message
> would be handled.
> o Consensus: After a SAML discussion, agreed to leave SAML out of
> express AuthN for now

> - Use-case discussion
> o Use-Case discussions regarding interactions between different Grid
> systems, having gone through X.509 adoption….might have been happy to
> just use Kerberos. Depends on domain, as cross-domains can be difficult,
> in which case X.509 might be better – would like to hear from Enterprise
> Grids. Which portions of system? Integration is important (flexibility).
> - Andrew proposes: Proceed along current course while reaching out to
> communities to determine Kerberos usage and need for inclusion or separate
> document.
> o Consensus: Sounds reasonable. (6:33pm).

https://forge.gridforum.org/sf/go/doc14654

Thanks again,
----
Hiro Kishimoto

-------- Original Message  --------
Subject: Re:[ogsa-wg] Updated Express AuthN Profile docs
From: <bill at computer.org>
To: 'ogsa-wg' <ogsa-wg at ogf.org>
Date: 2007/07/04 2:00

> Hi,
> 
> I agree -- the real use case for us involves forwarding tokens too.
> 
> Best regards,
> 
> - bill
> 
> -----Original Message-----
> From: ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] On Behalf Of
> Christopher Smith
> Sent: Tuesday, July 03, 2007 8:58 AM
> To: Blair Dillaway; Duane Merrill; ogsa-wg
> Subject: Re: [ogsa-wg] Updated Express AuthN Profile docs
> 
> I, for one, am interested in a profile like this. The Kerberos Token Profile
> seems fine for the authentication step, but one of our main use cases is the
> forwarding of Kerberos tokens for subsequent use in the environment of jobs
> and the like, and I don't think the Kerberos Token Profile covers this at
> all.
> 
> -- Chris
> 
> 
> On 02/7/07 14:51, "Blair Dillaway" <blaird at microsoft.com> wrote:
> 
>> Duane Merrill wrote:
>>> A question for the group: Would it be a good idea to also profile a
>>> Kerberos message-level binding assertion policy within the
>> It might be a good idea and provide value to the community. Before we decide,
>> I think we need to get a better sense of how important a new Kerberos
>> interoperability profile is from the people who deploy and/or provide
>> solutions for organizational grids where Kerberos is already present. If
>> you're in one of these categories, your input would be appreciated.
>>
>> Are there specific grid scenarios where supporting a Kerberos message
>> authentication option is critical?
>> Do you feel the existing OASIS "Web Services Security Kerberos Token Profile
>> v1.1" specification an adequate basis for grid web services interoperability?
>>
>> Regards,
>> Blair Dillaway
>>
>> --
>>   ogsa-wg mailing list
>>   ogsa-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/ogsa-wg
> 
> --
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg
> 
> 
> --
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg
> 
> 