[ogsa-wg] [OGSA-AUTHZ] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call

David Chadwick d.w.chadwick at kent.ac.uk
Tue Jun 26 11:37:48 CDT 2007 

Hi Tom

Tom Scavo wrote:
> At a recent OGF AuthZ WG meeting (OGF19 or 20, I forget, but it's in
> the minutes), I mentioned the need for an X.509 Binding for SAML
> Assertions.  We do this already in Globus CAS and GridShib, but it
> needs to be vetted and refined.

At OGF 20 we revisited this issue and agreed that we need one for SAML 
Attribute Assertions (but note, not for SAML Authz Decision Statements 
or Authn assertions, just for the attributes in order to be able to pull 
them).


> 
> I recently learned about a project in EU that is binding XACML to
> X.509, so perhaps we need a more general X.509 Binding for XML with
> separate profiles for SAML, XACML, and so forth.

Do you have the name of this project? Its not EGEE is it?

> 
> Once we have a standard X.509 Binding,

and the purpose of this would be to remove the use of SSL/TLS?? and to 
bind at the application layer rather than the transport layer?

  we can profile attribute-based
> authz using both pushed and pulled SAML assertions.  We've implemented
> a prototype along these lines and numerous issues have come up, which
> need vetting and further discussion.

When you say SAML assertions, this is too generic, since there are three 
types of assertions. Which ones do you mean?

> 
> And finally there is the wholly unexplored territory of proxied SAML
> assertions, which most people believe are necessary to bridge campuses
> and grids, but there's absolutely no agreement how this should be
> done.

You are correct. Proxying is another ball game. Which brings its own 
problems and conflicts (such as wanting authoritative assertions signed 
by their sources on the one hand, but going via a proxy and not knowing 
who the source is, on the other).

What we need to do I believe is

i) specify the protocols that are needed regardless of the bindings (so 
that the same XML constructs can be passed via a Java API, an SSL 
session, an X.509 binding or whatever). So far we have identified 3 of 
these, one for pulling attribute assertions, one for validating 
credentials and one for getting an authz decision.

ii) specify a set of bindings that should be supported for the above.

regards

David


> 
> Tom Scavo
> NCSA
> 
> On 6/25/07, Blair Dillaway <blaird at microsoft.com> wrote:
>> I don't remember any serious discussion of chartering work in this 
>> area, either within the AuthZ WG or elsewhere. So I can only surmise 
>> people haven't felt this area is adequately mature. The sessions Von 
>> hosted on Grid-Shib technology at OGF's last year certainly indicated 
>> a diverse set of approaches were being explored.
>>
>> Did you and Von discuss this in drafting the current charter? Do you 
>> believe things have evolved to the point where we could build critical 
>> mass around work in this area? (Of course, I'd love to hear from 
>> anyone who thinks the OGF should be doing work in this area.)
>>
>> Regards,
>> Blair
>>
>>
>> David Chadwick wrote:
>> >
>> > Hi Blair
>> >
>> > Interestingly there is one aspect of authz that has a significant
>> > amount
>> > of user interest and that is merging attributes from Shibboleth and
>> > Grids to be used together for authz decision making. But this is
>> > currently not within the scope of the OGF OGSA Authz group's work plan.
>> > So what does this indicate?
>> >
>> > regards
>> >
>> > David
>> >
>> > *****************************************************************
>> > David W. Chadwick, BSc PhD
>> > Professor of Information Systems Security
>> > The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> > Skype Name: davidwchadwick
>> > Tel: +44 1227 82 3221
>> > Fax +44 1227 762 811
>> > Mobile: +44 77 96 44 7184
>> > Email: D.W.Chadwick at kent.ac.uk
>> > Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> > Research Web site:
>> > http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> > Entrust key validation string: MLJ9-DU5T-HV8J
>> > PGP Key ID is 0xBC238DE5
>> >
>> > *****************************************************************
>>
>> -- 
>>   ogsa-authz-wg mailing list
>>   ogsa-authz-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-wg mailing list