[ogsa-wg] [ogsa-authn-bof] Notes from Joint OGSA WG AuthN/AuthZ call

Wed Jun 27 11:43:16 CDT 2007

This is something that we at NeSC (and I know many others) are
interested in. My own personal perspective on the OGF AuthN and AuthZ
work is that it is something everyone recognises as important, but that
the detailed specification of the standards is not something many
can/are able to usefully contribute to. (I think this is similar across
many of the OGF standards areas). Case in point on the recent thread
between David and Tom on how to use SAML AuthZ statements vs XACML
contexts etc. How many folk in OGF-land are able to decide on the
advantages/disadvantages of these things?

We at NeSC are predominantly technology end users supporting a wide
variety of e-Research projects. We have applied the implementations of
the authN/authZ specs, e.g. the SAML AuthZ API, and identified their
limitations etc, but it is only when these things have been implemented
by the likes of the Globus and PERMIS teams for example, that we can
really play an effective role. I think that this resonates across all of
OGF activities be it DAIS specs for building data Grids, JSDL/BES specs
for compute Grids etc.

I am not sure how mature the Shibboleth/authZ has to be to be in order
to be explored within OGF. I definitely think that workshops/OGF
meetings showing how folk have built VOs/Campus Grids etc using the
likes of Shibboleth, VOMS and other AAs, with authZ technologies such as
PERMIS is needed/essential, i.e. I think the authN/authZ work should be
as much about sharing expertise in how best to build secure Grids/VOs as
it is on pursuing standards.

Cheers,
Rich

-----Original Message-----
From: ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] On Behalf
Of Blair Dillaway
Sent: 26 June 2007 01:10
To: David Chadwick
Cc: OGSA Authentication WG BoF; OGSA AUTHZ WG; OGSA-WG
Subject: Re: [ogsa-wg] [ogsa-authn-bof] Notes from Joint OGSA WG
AuthN/AuthZ call

I don't remember any serious discussion of chartering work in this area,
either within the AuthZ WG or elsewhere. So I can only surmise people
haven't felt this area is adequately mature. The sessions Von hosted on
Grid-Shib technology at OGF's last year certainly indicated a diverse
set of approaches were being explored.

Did you and Von discuss this in drafting the current charter? Do you
believe things have evolved to the point where we could build critical
mass around work in this area? (Of course, I'd love to hear from anyone
who thinks the OGF should be doing work in this area.)

Regards,
Blair

David Chadwick wrote:
>
> Hi Blair
>
> Interestingly there is one aspect of authz that has a significant 
> amount of user interest and that is merging attributes from Shibboleth

> and Grids to be used together for authz decision making. But this is 
> currently not within the scope of the OGF OGSA Authz group's work
plan.
> So what does this indicate?
>
> regards
>
> David
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security The Computing Laboratory, 
> University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site:
> http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
>
> *****************************************************************

--
  ogsa-wg mailing list
  ogsa-wg at ogf.org
  http://www.ogf.org/mailman/listinfo/ogsa-wg