[ogsa-wg] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call

[Blair Dillaway]

Hi All:

Excellent notes Alan. My apologies for missing this discussion, but
I had other obligations. I have several comments on the issues
discussed (only excerpts included for brevity).

>  Andrew says
> that the exercise of writing a use-case document has proven itself
> even in circumstances in which the use cases are thought to be well-
> known.

I fully concur. Getting use-cases documented and socialized
with the expected contributors/adopters is a critical step. It
establishes scope, helps convey the value, and identifies the expected
application of the standard.

> Last week David sent out a document written from the point of view of
> Authorization meant to match some of the current "simple AuthN"
> work. ...
> Discussion followed as to whether AuthZ can be folded into the
> current security profile "express" documentation work being done, or
> instead whether another document to address "express authZ" should be
> written.

Adding such a document to the work could be reasonable.
It does seem the 'express' work would benefit from writing down
a defined scope for the current work to avoid incremental
scope expansion.

> Alan asks why Ws-
> Security is so SOAP-oriented, when grid implementations can be
> written based on the same WSDL and XML that could provide code using
> different RPC methods?

The question to ask here is whether grids should move toward
relying on web services as the basis for interoperability? There is
certainly a strong push in this direction, which I support. Web
services are based on the use of SOAP messaging. WS-Security's
official name is "Web Services Security: SOAP Message Security".
Hence, the focus on SOAP messaging. If one wishes to use other
protocols, such as RPC, there are other security standards
which are appropriate.

> Moving on to authentication topics Alan is ready now to restart work
> on the OGSA-AuthN topics....
> Simultaneously, work should be continued to complete the "express
> profile" documentation series.

While there are certainly interesting AuthN topics to
discuss which go beyond the identified 'express' work, I am very
concerned about having two AuthN groups working in parallel. It
has been difficult to achieve critical mass on OGF security
standard's work and I fear we'll end-up with inadequate
engagement on both efforts. I suggest we look seriously
at combining these efforts. Is there a scope/sequencing of work
which makes sense where the 'express' profiles are the first
set of deliverables for a more broadly chartered group?
I don't personally care if such a group is officially part
of OGSA or the Security area.

I raised this issue at OGF20, but haven't heard from anyone
regarding their opinion on having one versus two efforts.


On a separate thread, David Chadwick wrote:
> Concerning the Autthz agenda item, there is no progress to report since
> oGF20. One thing we might like to consider is how do we engage the
> community more in contributing to this work, or do we just throw in our
> hats and say that no-one is really interested in pushing the authz work
> forward anymore
and Alan wrote:
> For requirements gathering, David put up a wiki but got very few
> submissions.  Stephen points out that people see a need for security
> but do not see the relevance of the work done here, and socialization
> of the work being done here is not sufficiently seen as connected to
> real-world needs.

I think we've all been disappointed by the level of
participation in the AuthZ area. We really should consider
whether continued work on the currently chartered documents is
justified and what actions might lead to renewed interest.

I've been concerned about this for a while now and have spoken with
some with other security professionals about this work. The general
response was apathetic. Major comments were along the lines of:
- Isn't the work already being done in OASIS on WS-Trust, XACML,
etc. adequate
- Standards in this area aren't a priority since most
customers don't care about pluggability for these types of
components.
I have found it difficult to present a compelling counter to
such arguments.

> Hiro asked about the timing of the next joint call.  David has Sep.
> 13 down as the next joint call.  Hiro offered time at the Sunnyvale
> F2F Aug. 13-16.

FYI, I will not be able to attend the F2F.


Regards,
Blair Dillaway