[ogsa-wg] [OGSA-AUTHZ] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call

Mon Jun 25 19:59:41 CDT 2007

At a recent OGF AuthZ WG meeting (OGF19 or 20, I forget, but it's in
the minutes), I mentioned the need for an X.509 Binding for SAML
Assertions.  We do this already in Globus CAS and GridShib, but it
needs to be vetted and refined.

I recently learned about a project in EU that is binding XACML to
X.509, so perhaps we need a more general X.509 Binding for XML with
separate profiles for SAML, XACML, and so forth.

Once we have a standard X.509 Binding, we can profile attribute-based
authz using both pushed and pulled SAML assertions.  We've implemented
a prototype along these lines and numerous issues have come up, which
need vetting and further discussion.

And finally there is the wholly unexplored territory of proxied SAML
assertions, which most people believe are necessary to bridge campuses
and grids, but there's absolutely no agreement how this should be
done.

Tom Scavo
NCSA

On 6/25/07, Blair Dillaway <blaird at microsoft.com> wrote:
> I don't remember any serious discussion of chartering work in this area, either within the AuthZ WG or elsewhere. So I can only surmise people haven't felt this area is adequately mature. The sessions Von hosted on Grid-Shib technology at OGF's last year certainly indicated a diverse set of approaches were being explored.
>
> Did you and Von discuss this in drafting the current charter? Do you believe things have evolved to the point where we could build critical mass around work in this area? (Of course, I'd love to hear from anyone who thinks the OGF should be doing work in this area.)
>
> Regards,
> Blair
>
>
> David Chadwick wrote:
> >
> > Hi Blair
> >
> > Interestingly there is one aspect of authz that has a significant
> > amount
> > of user interest and that is merging attributes from Shibboleth and
> > Grids to be used together for authz decision making. But this is
> > currently not within the scope of the OGF OGSA Authz group's work plan.
> > So what does this indicate?
> >
> > regards
> >
> > David
> >
> > *****************************************************************
> > David W. Chadwick, BSc PhD
> > Professor of Information Systems Security
> > The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> > Skype Name: davidwchadwick
> > Tel: +44 1227 82 3221
> > Fax +44 1227 762 811
> > Mobile: +44 77 96 44 7184
> > Email: D.W.Chadwick at kent.ac.uk
> > Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> > Research Web site:
> > http://www.cs.kent.ac.uk/research/groups/iss/index.html
> > Entrust key validation string: MLJ9-DU5T-HV8J
> > PGP Key ID is 0xBC238DE5
> >
> > *****************************************************************
>
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>