[ogsa-wg] OGSA Primer Newest Latest draft - v5

Marty Humphrey humphrey at cs.virginia.edu
Fri Oct 12 07:01:47 CDT 2007 

"OGSA Security" has the challenge of asserting and showing relevance to the
broader community; just assuming relevance is a mistake in my opinion.

 

One way to assert relevance is to clearly identify requirements that are
arguably unique to "OGSA Security".

 

To state that delegation is to be merely implicitly "tossed in  with
security policy and credential management" is a mistake and fails to exploit
an obvious opportunity to directly assert relevance.

 

-- Marty

 

 

From: ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] On Behalf Of
Duane Merrill III
Sent: Friday, October 12, 2007 3:49 AM
To: Blair Dillaway; ogsa-wg at ogf.org
Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5

 

With regard to some of Blair's comments:

 

[Primer]

>>> "OGSA security model addresses trust management via the profiling of 

>>> mechanisms defined in the WS-Trust specification in order to realize
trust 

>>> relationships as rules and policies for mapping identities and
credentials 

>>> among the involved organization domains."

[Blair's comments]

> WS-Trust focuses on a protocol for obtaining, exchanging, validating, . 

> security tokens. Section 2 briefly discusses trust policies and mentions 

> some mechanism for establishing the base trust policy. These are, 

> however, non-normative and not required by WS-Trust.  It also doesn't 

> address issuance policy at a token service. So its not really a sufficient

> basis for establishing "trust  relationships as rules and policies".

WS-Trust doesn't establish relationships, it helps realize established
relationships.  This sentence is basically saying that:

*	WS-Trust establishes the notion of token services
*	Token services are useful for mapping identities and credentials
among security domains
*	The mapping of identities and credentials is the
realization/incarnation of trust relationships
*	Vague hinting that the model will incorporate the profiling of
WS-Trust to establish more normative behavior

 

[Blair's comments con't.]

> I find it surprising the subject of delegation of access rights isn't even
mentioned.

 

Aren't we just assuming everyone will use SecPAL assertions?  

 

Honestly, one might argue that delegation of access rights should be treated
in the same vein as security token types; claims of delegation criteria will
probably have to be federated in a similar vein as tokens themselves.  Thus
delegation is tossed in with security policy & credential mechanism: all to
be the responisibility of the service providers and profiled in the
common-cases by the OGSA security architecture.

 

 

-Duane

 

----- Original Message ----- 

From: "Blair Dillaway" < <mailto:blaird at microsoft.com> blaird at microsoft.com>

To: < <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org>

Sent: Friday, October 05, 2007 7:29 PM

Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5

 

> Hi all,
> 
> I have reviewed the latest draft and posted my comments into the tracker.
I assigned the item to Andreas assuming he'd know who'd be interested in
comments on the different sections.
> 
> Regards,
> Blair
> 
>> -----Original Message-----
>> From:  <mailto:ogsa-wg-bounces at ogf.org> ogsa-wg-bounces at ogf.org
[mailto:ogsa-wg-bounces at ogf.org] On
>> Behalf Of Andreas Savva
>> Sent: Wednesday, October 03, 2007 6:39 PM
>> To: Hiro Kishimoto; Alan Sill
>> Cc:  <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org
>> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>>
>> After the last Primer review I created an issue tracker. Please post
>> issues relating to this document to
>>  <https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa>
https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa-
>> wg/tracker.ogsa_primer
>>
>> Also the latest version of the document may be retrieved from
>>  <https://forge.gridforum.org/sf/go/doc14408?nav=1>
https://forge.gridforum.org/sf/go/doc14408?nav=1
>>
>> Thanks Duane for uploading.
>>
>> Andreas
>>
>> Hiro Kishimoto wrote:
>> > Thanks Alan,
>> >
>> > Please provide your feedback to Duane and Andrew.
>> > We will review revised document on Oct. 19 (Fri) at
>> > OGSA-WG F2F meeting in OGF21 Hotel. Please join us in
>> > person or dial-in.
>> >
>> >  <http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com>
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
>> >
>> > Thanks,
>> > ----
>> > Hiro Kishimoto
>> >
>> > -------- Original Message  --------
>> > Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5
>> > From: Alan Sill < <mailto:Alan.Sill at ttu.edu> Alan.Sill at ttu.edu>
>> > To: Duane Merrill < <mailto:dgm4d at virginia.edu> dgm4d at virginia.edu>
>> > Cc:  <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org
>> > Date: 2007/10/03 23:05
>> >
>> >> I am traveling today and tomorrow and will miss this discussion.  I
>> >> do intend to contribute something in this area soon.
>> >>
>> >> I think the direction that has been started with the Express
>> Profile,
>> >> including work to allow SSL/TLS and possibly Kerberos
>> communications,
>> >> as examples, and to allow services to "express" the AuthN methods
>> >> that they respect, and can use, is potentially very important, and
>> >> with some work, might find real-world use case possibilities in the
>> >> not too distant future.  (I realize that this was not the sense of
>> >> "express" meant here, but could not resist the pun.)  There are some
>> >> projects of which I am aware that could use exactly this feature in
>> >> the near future.  SO just wanted to encourage work to continue in
>> >> this area.
>> >>
>> >> Alan
>> >>
>> >> On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
>> >>
>> >>> Everyone, I have updated the primer document to include a draft of
>> >>> Section 3.5: Security.  I realize that it is always tenuous to
>> >>> submit a large section to a document hours before it is up for
>> >>> review, and I apologize.  If anyone has the time to inspect the new
>> >>> section, feedback and suggestions this evening would be fantastic.
>> >>> I've uploaded it to Gridforge as v.5 and attached it to this mail
>> >>> as well.
>> >>>
>> >>> Duane
>> >>>> ----- Original Message -----
>> >>>> From: Andrew Grimshaw
>> >>>> To:  <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org
>> >>>> Sent: Thursday, September 20, 2007 12:34 PM
>> >>>> Subject: [ogsa-wg] Latest draft - v4
>> >>>>
>> >>>> All,
>> >>>>
>> >>>> Attached is the latest draft of the primer. Most of the pieces are
>> >>>> now in place. We still need sections 3.4-3.7, and of course
>> >>>> reviews by people.  The section on the data center use case is
>> >>>> waiting for whoever wanted it in there to write it.
>> >>>>
>> >>>>
>> >>>>
>> >>>> The adoption section I'd like to talk about in a conference call
>> >>>> to make sure it is a) correct, and b) saying what we want it to
>> say.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Summary will wait till the end.
>> >>>>
>> >>>>
>> >>>>
>> >>>> A
>> >>>>
>> >>> <OGSA Primer -v5.doc>
>>
>>
>> --
>> Andreas Savva
>> Fujitsu Laboratories Ltd
>>
>> --
>>   ogsa-wg mailing list
>>    <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org
>>    <http://www.ogf.org/mailman/listinfo/ogsa-wg>
http://www.ogf.org/mailman/listinfo/ogsa-wg
> --
>  ogsa-wg mailing list
>   <mailto:ogsa-wg at ogf.org> ogsa-wg at ogf.org
>   <http://www.ogf.org/mailman/listinfo/ogsa-wg>
http://www.ogf.org/mailman/listinfo/ogsa-wg
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20071012/b5364444/attachment-0001.html

More information about the ogsa-wg mailing list