[ogsa-wg] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call

Fri Jun 22 04:05:04 CDT 2007

Hi Donal

Donal K. Fellows wrote:
> Blair Dillaway wrote:
>> I think we've all been disappointed by the level of
>> participation in the AuthZ area. We really should consider
>> whether continued work on the currently chartered documents is
>> justified and what actions might lead to renewed interest.
>>
>> I've been concerned about this for a while now and have spoken with
>> some with other security professionals about this work. The general
>> response was apathetic.
> 
> That's worrying, but not surprising. While I'm in a project with some
> very good security people, they're not interested in doing standards
> work *at all* at the moment. :-\

This is one of the problems. I believe that your project is more 
representative of the vast majority of projects, rather than my projects 
which always try to contribute towards the standardisation effort.

> 
>> - Isn't the work already being done in OASIS on WS-Trust, XACML,
>> etc. adequate
> 
> It would be nice if we could operate as profiles on those other specs.

but this is PRECISELY what we are doing in the OGSA Authz group. We are 
specifying profiles of XACML, SAML and WS-Trust. It is only by 
implementing common profiles that we can gain interoperability.

> If we can't (and the only way we can tell is by thorough analysis of our
> use-cases, which are certainly fairly sophisticated when we start to
> think about multi-partner collaborations) then it is incumbent upon us
> to feed back this information to the OASIS guys.

If you dont want the OGF to produce profiles for grids, then we should 
indeed shut down the OGSA Authz group and join OASIS to specify our 
profiles there. Is this what you are suggesting?

> 
>> - Standards in this area aren't a priority since most
>> customers don't care about pluggability for these types of
>> components.
> 
> My impression (as someone only intermittently involved) has been that it
> is horrendously difficult even to do the basic stages of interoperable
> AuthN, so the higher-level aspects (such as *all* of AuthZ!) have been
> largely ignored. 

This is not my experience. We successfully specified the OGSA SAML Authz 
profile (GFD.66), implemented it in PERMIS, GT3 and 4, Primea (and more) 
and successfully performed interworking tests. It was not a painful 
experience at all. On the contrary it was very informative.

This suggests to me that a valuable way forward would
> be to put effort into trying to make these basic things work, which is
> very much the focus of the OGSA Express work. Maybe the advanced things
> are more academically interesting, but without the interoperable basic
> parts, it's suspiciously like a castle in the air.

Actually it is possible to do the two in parallel (Authn and Authz) 
since they are to some extent orthogonal. In fact you can use 
proprietary Authn procedures with standard Authz profiles quite 
successfully. So it is not a fixed sequential process.

regards

David

  (There are many
> parallels with other parts of OGSA, such as in execution management
> where the really interesting things are in areas like reservations, but
> much needed to be worked on first so that the foundations could be built
> on which the fun stuff rests.)
> 
> Donal.
> --
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************