[ogsa-wg] Minutes of OGSA-WG + OGSA-AuthZ Joint telephone call 8 Mar 2007

[Alan Sill]

Minutes of OGSA-WG + OGSA-AuthZ Joint telephone call 8 Mar 2007

Attending:
Hiro Kishimoto
Dave Snelling
Marg Murray
Dave Chadwick
Chris Kantarjiev
David Groep
Dwayne Merrill
Mark Morgan
Andrew Grimshaw

Proposed Agenda from David Snelling:

1) Clarify the need for AuthZ standards in a Grid. Do we need AuthZ
standards within in a single enterprise or only with distributed grids.

2) Review the scope of the current AuthZ WG. Are they doing frameworks
only, or are they defining roles and their  semantics? What is the scope
of these and how is extensibility managed?

3) Are the AuthZ requirements the same for both Enterprise and eScience?

4) Is there something in needed in AuthZ that is either a) not being
addressed by the AuthZ-WG or b) needed is a short time frame as a  
stop gap?

Dave S. reviewed the above agenda.  Agenda bashing ensued.  David C.  
felt Item 3 should be addressed first.  A wiki for requirements has  
been created but has not been heavily trafficked yet.

David S. asked whether AuthZ is best considered local or non-local.   
Alan responded that in his view, authorization always takes place  
locally, but often must be informed by factors that come from outside  
of the local boundary.  David C. pointed out that this discussion,  
while true, is at a different level than the current activities of  
the OGSA-AuthZ group, which focuses on protocols for transmission of  
authorization-related information, rather than particular specific  
schema or attributes.  (This was an important principle in getting  
AuthZ activities going forward in a useful way toward standardization  
of the _syntax_ of attributes.)  He held out the example of LDAP,  
which went through a similar evolution.

Marg Murray asked about the split between authN and authZ as it  
relates to virtual organizations.  David C. reviewed the agreement  
that has been underlying the OGSA AuthZ work to date that assumes  
that VOs will be authoritative for some but not all attributes, just  
as institutions are authoritative for some but not all attributes, so  
what is needed and what the group has been working on has been  
methods to encode, transmit and understand attributes.

Andrew joined and gave the opinion that advertisement, discovery and  
communication of information is preferable to hard specification of  
attributes, which is consistent with the above.

Moving on to the roadmap, David C. referred to the OGF-16 SAML-based  
profile, which was felt to be deficient compared to the community  
assessment of needs.  Two profiles are being worked on by the group  
at present, one based on XACML and one based on WS-Trust, and an  
architecture document.  These are current in the OGSA-AuthZ gridforge  
pages.  There is also a document describing these deficiencies from  
the previous approach, which include: inability to describe  
obligations (solved in the XACML case), need to describe parameters  
of actions, etc.  Note the XACML-over-SAML approach used here has NOT  
been deprecated by OASIS, as reported earlier e.g. at OGF-20,  
according to David C. as per an e-mail that he will forward to the  
group.

David S. proposed that the above discussion covers agenda item 2) for  
today, if supplemented by e-mails documenting the above points by  
those who made them.  There does seem to be work for a framework for  
authorization that goes beyond the WS standards available to the  
community.  Andrew pointed out a statement by Nate Klingenstein at  
last week's meeting regarding work by the Liberty Alliance that  
specifies extensions to WS-Security -- we need to track down a  
reference on this.  Dwayne clarified that this specifies usage of the  
key within the metadata in an EPR.  David C. said that we cannot  
escape the fact that every credential can in principle have a policy  
associated with or attached to it.  It may be a usage field or a  
policy context.  Thus the encoding format for that policy should be  
standardized.  In X.509 this is done by a complex arrangement of  
OIDs.  The recipient of a credential can always choose to ignore such  
policy statements, of course.

David S. asked whether existing work covers the topic of  
advertisement of authorization requirements  on the part of a given  
resource to describe what it needs to make an authZ decision.  David  
C. said that there is a feature in XACML that could support this, but  
that this work has not been completely fleshed out yet by documents  
produced by OGSA-AuthZ.  The PEP is the application-dependent piece;  
other application dependence is factored out.  Andrew asks how can  
one determine what needs to be sent along in the SOAP?  David C. (and  
Alan agreed) replied that some of these requirements may be published  
out of band, for efficiency, privacy or other reasons that do not  
necessarily have to interfere with such discovery.

Reviewing the agenda, David S. stated that item 1) is also answered  
now as well.  Item 3) may require more extended discussion.  A  
requirements roll-up activity is taking place throughout OGF now and  
he felt that this should be brought up at the next such roll-up meeting.

In terms of item 4), are there any short-term actions or needs that  
we can identify?  David C. felt that interaction with credential  
issuing services to determine whether a given credential service can  
respond to a specific request needs to be documented.  The field  
definition needs a look, too.  Andrew asked whether there are use  
cases driving these requirements.  The use cases he is looking at are  
simpler and don't seem to require some of the above.  Dave S. pointed  
him to the wiki and asked for input.

Andrew reminded the group of the informational document being worked  
on as a result of last week's discussion, and that this has been sent  
out to the OGSA-WG list.  Hiro asked for review of this document to  
be scheduled in the Thursday F2F Security session.

Hiro asked about the next joint call in this series.  Candidates are  
Mar. 29, April 5,  12 and 19.  None of April dates would work for  
David C. so Mar. 29th was selected and agreed to.

Respectfully,

Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================