[ogsa-wg] Notes from Joint OGSA WG AuthN/AuthZ call
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Jun 21 11:21:06 CDT 2007
Thanks Alan
this is a very good set of minutes
David
Alan Sill wrote:
> OGSA AuthN/AuthZ joint call
>
> Chris
> David
> Mark Morgan
> Andrew Grimshaw
> FrankSiebenlist
> Jack
> Hiro Kishimoto
> Alan Sill
> Andreas Savva
> Stephen
>
> Agenda items:
>
> OGSA-AuthZ update (David Chadwick)
> OGSA-AuthN update (Alan Sill)
>
> David summarized the current state of the OGSA-AuthZ work. No
> progress or changes have taken place since OGF-20 on the document set
> from the AuthZ work groupl
>
> Jargon for below:
> PDP = policy decision point
> PEP = policy enforcement point
> PIP = policy information point
>
> GFD-66 and 67 (65?) status
> GFD-66 was intended to describe the relation between PDPs and PEPs
> Previous version of GFD-66 based on SAML 1.1 was implemented by
> several groups and found to be insufficient.
>
> An architecture document was written by David and others to propose 3
> protocols: one for pull of credentials from an IdP or AA according to
> any of several protocols profiled by OASIS and others, an XACML
> protocol, and a credential validation service profile defined
> according to WS-trust. Alan requested that David get a document
> number for this architecture document and David agreed to move this
> along the path to formalization. It would be good to publish this as
> an informational document, with the 3 protocols pulled into separate
> documents.
>
> Frank said that progress at Argonne on this has been slowed by work
> being done for GT4.2 - all security programmers have been pulled onto
> that work and have not had sufficient time available for standards work.
>
> GFD-66 had value but does not extend to sufficiently realistic
> complex real-world use case requirements, for example validating
> signed credentials, interactions with PIPs, etc.
>
> For requirements gathering, David put up a wiki but got very few
> submissions. Stephen points out that people see a need for security
> but do not see the relevance of the work done here, and socialization
> of the work being done here is not sufficiently seen as connected to
> real-world needs. Alan agreed that this is an important component of
> the work and is exactly what Duane, mark and Andrew have been trying
> to do in the requirements-gathering work they have been doing for the
> short-term AuthN documentation work they have been done.
>
> Frank did not understand the disconnect, as the XACML work for
> example has been driven by strong communication between developers
> and community segments that have requested this work. Andrew says
> that the exercise of writing a use-case document has proven itself
> even in circumstances in which the use cases are thought to be well-
> known. Stephen and Alan felt this to be true even though writing
> such documents can be a chore.
>
> People are often stuck on simple cases when the community doing work
> on standards is often focused on more advanced use cases. Andrew
> pointed out that documenting even the simple use cases is of value
> and must be written down to get rid of this barrier for users; some
> of the work being done for the HPC profile was driven by this need.
>
> Last week David sent out a document written from the point of view of
> Authorization meant to match some of the current "simple AuthN"
> work. Mark more or less simultaneously requested such a document.
> Discussion followed as to whether AuthZ can be folded into the
> current security profile "express" documentation work being done, or
> instead whether another document to address "express authZ" should be
> written. Andrew prefers simple short documents over grand scheme
> documents at this stage. Another document in this series entitled
> "OGSA Security Profile 2.0 - Authorization" would be helpful. David
> agreed to look at this and will go through the current set from this
> perspective.
>
> Moving on to authentication topics Alan is ready now to restart work
> on the OGSA-AuthN topics. Motivations here include examining the
> technical requirements of implementations and ensuring that the
> documentation and standards set offered by OGSA is sufficiently
> flexible and well-specified to allow interoperable implementations
> based on different technologies. As an example, Alan asks why Ws-
> Security is so SOAP-oriented, when grid implementations can be
> written based on the same WSDL and XML that could provide code using
> different RPC methods? Other motivations include ensuring that
> Shibboleth grid integration can be done on a well-defined standards
> basis within OGSA, and while this is largely an AuthZ question, we
> need to make sure that the OGSA-AuthN pieces and basis for this work
> are sufficiently documented, understood and specified. A
> documentation call series will be started sometime in July to get
> this work going.
>
> Simultaneously, work should be continued to complete the "express
> profile" documentation series.
>
> Hiro asked about the timing of the next joint call. David has Sep.
> 13 down as the next joint call. Hiro offered time at the Sunnyvale
> F2F Aug. 13-16.
>
>
> Alan Sill, Ph.D
> TIGRE Senior Scientist, High Performance Computing Center
> Adjunct Professor of Physics
> TTU
>
> ====================================================================
> : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
> : e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
> ====================================================================
>
>
> --
> ogsa-wg mailing list
> ogsa-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-wg
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-wg
mailing list