[ogsa-wg] OGSA Primer Newest Latest draft - v5
Duane Merrill
dgm4d at virginia.edu
Fri Oct 12 13:48:30 CDT 2007
Things that I would suggest we communicate re: delegation in the primer:
* Delegation is a useful feature to be addressed and supported by
the architecture. (I hesitate at making it a /requirement /for
participating in the architecture: composition of features,
no-pay-no-play, etc.). Perhaps also include a motivating simple
generic use-case of: "I want to run my job, the executor needs to
obtain resources/input on my behalf, etc."
* Delegation mechanisms have historically been closely tied to
credential mechanisms (e.g., X-509 proxy certs and MyProxy,
holder-of-key SAML assertions, etc.), which we have stated the
OGSA is to be flexible with in terms of type, subject to profiling
by the OGSA security model. (Grand-unifying delegation
specifications pending....)
* Delegation statements that are included within or alongside
credentials will face federation issues that trust policy will
have to address in addition to simple token-mapping (i.e., what
happens during credential mapping between security domains)
Although my original statement was somewhat flippant, I would still
consider this treatment of delegation as "tossing it in with the current
treatment of credentials and security policy": in many cases the
important decisions regarding requirements for type and semantics/policy
will remain with the service provider and their trust agreements.
-Duane
Blair Dillaway wrote:
>
> ... correction. I meant 'x.509 proxy certificates' , not attribute
> certificates, in the first paragraph below.
>
>
>
> /Blair
>
>
>
> *From:* Blair Dillaway
> *Sent:* Friday, October 12, 2007 11:00 AM
> *To:* 'Duane Merrill III'; Marty Humphrey; ogsa-wg at ogf.org
> *Subject:* RE: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>
>
>
> Duane,
>
>
>
> My reasons for asking about delegation are in line with Marty's
> concern. Delegation is a long standing requirement in Grid systems
> that has been discussed for many years and a number of different
> approaches have been developed for addressing it. For example, all the
> work around technologies such as attribute certificates and MyProxy
> servers. I believe an OGSA primer should at least acknowledge these needs.
>
>
>
> While I happen to think SecPAL provides a great way to express
> delegations, its still a research project and I'm would not suggest
> you reference it this primer.
>
>
>
> Re: 'realizing trust relationships'
>
>
>
> Your seem to be interpreting your sentence in a way I find very odd. I
> expect many other people will not read this as you seem to intend and
> I suggest you re-word it.
>
>
>
> Regards,
>
> Blair
>
>
>
> *From:* ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] *On
> Behalf Of *Duane Merrill III
> *Sent:* Friday, October 12, 2007 8:13 AM
> *To:* Marty Humphrey; ogsa-wg at ogf.org
> *Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>
>
>
> Marty, perhaps you miss my point.
>
>
>
> I was not suggesting that the model "wave its hands vigorously"
> regarding delegation requirements. In fact, quite the opposite: I am
> not aware of any spec or profile that gives consideration to
> delegation requirements within a federated model. For example, a
> SecPAL delegation statement like "/Alice/ says /Cluster/ can read
> //project/data/ if /currentTime/() </ 07/09/2008/" may have to undergo
> mapping during federated access to adjust the principals due to
> credential translation, or perhaps to translate the requirement to a
> different delegation policy language understood by the resource
> provider, etc.
>
>
>
> I was suggesting that the model address delegation with the same
> attitude as it addresses credential and security policy mechanisms;
> opportunities to assert relevance arise from filtering these features
> through the OGSA philosophies of site-autonomy,
> separation-of-policy-and-mechanism, etc. It may not jibe with the
> philosophies to require a specific brand of delegation in the same
> vein that it doesn't fly to mandate a specific global credentialing
> mechanism or a specific set of secure communication requirements.
>
>
>
> -Duane
>
> ----- Original Message -----
>
> *From:* Marty Humphrey <mailto:humphrey at cs.virginia.edu>
>
> *To:* ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
>
> *Sent:* Friday, October 12, 2007 8:01 AM
>
> *Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>
>
>
> "OGSA Security" has the challenge of asserting and showing
> /relevance/ to the broader community; just assuming relevance is a
> mistake in my opinion.
>
>
>
> One way to assert relevance is to clearly identify requirements
> that are arguably unique to "OGSA Security".
>
>
>
> To state that delegation is to be merely implicitly "tossed in
> with security policy and credential management" is a mistake and
> fails to exploit an obvious opportunity to directly assert relevance.
>
>
>
> -- Marty
>
>
>
>
>
> *From:* ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org]
> *On Behalf Of *Duane Merrill III
> *Sent:* Friday, October 12, 2007 3:49 AM
> *To:* Blair Dillaway; ogsa-wg at ogf.org
> *Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>
>
>
> With regard to some of Blair's comments:
>
>
>
> *[Primer]*
>
> >>> "OGSA security model addresses trust management via the
> profiling of
>
> >>> mechanisms defined in the WS-Trust specification in order
> to realize trust
>
> >>> relationships as rules and policies for mapping identities
> and credentials
>
> >>> among the involved organization domains."
>
> *[Blair's comments]*
>
> > WS-Trust focuses on a protocol for obtaining, exchanging,
> validating, ...
>
> > security tokens. Section 2 briefly discusses trust policies
> and mentions
>
> > some mechanism for establishing the base trust policy. These
> are,
>
> > however, non-normative and not required by WS-Trust. It also
> doesn't
>
> > address issuance policy at a token service. So its not really
> a sufficient
> > basis for establishing "trust relationships as rules and
> policies".
>
> WS-Trust doesn't /establish/ relationships, it helps /realize
> /established relationships. This sentence is basically saying that:
>
> * WS-Trust establishes the notion of token services
> * Token services are useful for mapping identities and
> credentials among security domains
> * The mapping of identities and credentials is the
> realization/incarnation of trust relationships
> * Vague hinting that the model will incorporate the profiling
> of WS-Trust to establish more normative behavior
>
>
>
> *[Blair's comments con't.]*
>
> > I find it surprising the subject of delegation of access
> rights isn't even mentioned.
>
>
>
> Aren't we just assuming everyone will use SecPAL assertions?
>
>
>
> Honestly, one might argue that delegation of access rights should
> be treated in the same vein as security token types; claims of
> delegation criteria will probably have to be federated in a
> similar vein as tokens themselves. Thus delegation is tossed in
> with security policy & credential mechanism: all to be the
> responisibility of the service providers and profiled in the
> common-cases by the OGSA security architecture.
>
>
>
>
>
> -Duane
>
>
>
> ----- Original Message -----
>
> From: "Blair Dillaway" <blaird at microsoft.com
> <mailto:blaird at microsoft.com>>
>
> To: <ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>>
>
> Sent: Friday, October 05, 2007 7:29 PM
>
> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>
>
>
> > Hi all,
> >
> > I have reviewed the latest draft and posted my comments into the
> tracker. I assigned the item to Andreas assuming he'd know who'd
> be interested in comments on the different sections.
> >
> > Regards,
> > Blair
> >
> >> -----Original Message-----
> >> From: ogsa-wg-bounces at ogf.org <mailto:ogsa-wg-bounces at ogf.org>
> [mailto:ogsa-wg-bounces at ogf.org] On
> >> Behalf Of Andreas Savva
> >> Sent: Wednesday, October 03, 2007 6:39 PM
> >> To: Hiro Kishimoto; Alan Sill
> >> Cc: ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
> >> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
> >>
> >> After the last Primer review I created an issue tracker. Please post
> >> issues relating to this document to
> >>
> https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa-
> >> wg/tracker.ogsa_primer
> >>
> >> Also the latest version of the document may be retrieved from
> >> https://forge.gridforum.org/sf/go/doc14408?nav=1
> >>
> >> Thanks Duane for uploading.
> >>
> >> Andreas
> >>
> >> Hiro Kishimoto wrote:
> >> > Thanks Alan,
> >> >
> >> > Please provide your feedback to Duane and Andrew.
> >> > We will review revised document on Oct. 19 (Fri) at
> >> > OGSA-WG F2F meeting in OGF21 Hotel. Please join us in
> >> > person or dial-in.
> >> >
> >> > http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
> >> >
> >> > Thanks,
> >> > ----
> >> > Hiro Kishimoto
> >> >
> >> > -------- Original Message --------
> >> > Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5
> >> > From: Alan Sill <Alan.Sill at ttu.edu <mailto:Alan.Sill at ttu.edu>>
> >> > To: Duane Merrill <dgm4d at virginia.edu <mailto:dgm4d at virginia.edu>>
> >> > Cc: ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
> >> > Date: 2007/10/03 23:05
> >> >
> >> >> I am traveling today and tomorrow and will miss this
> discussion. I
> >> >> do intend to contribute something in this area soon.
> >> >>
> >> >> I think the direction that has been started with the Express
> >> Profile,
> >> >> including work to allow SSL/TLS and possibly Kerberos
> >> communications,
> >> >> as examples, and to allow services to "express" the AuthN methods
> >> >> that they respect, and can use, is potentially very
> important, and
> >> >> with some work, might find real-world use case possibilities
> in the
> >> >> not too distant future. (I realize that this was not the
> sense of
> >> >> "express" meant here, but could not resist the pun.) There
> are some
> >> >> projects of which I am aware that could use exactly this
> feature in
> >> >> the near future. SO just wanted to encourage work to continue in
> >> >> this area.
> >> >>
> >> >> Alan
> >> >>
> >> >> On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
> >> >>
> >> >>> Everyone, I have updated the primer document to include a
> draft of
> >> >>> Section 3.5: Security. I realize that it is always tenuous to
> >> >>> submit a large section to a document hours before it is up for
> >> >>> review, and I apologize. If anyone has the time to inspect
> the new
> >> >>> section, feedback and suggestions this evening would be
> fantastic.
> >> >>> I've uploaded it to Gridforge as v.5 and attached it to this
> mail
> >> >>> as well.
> >> >>>
> >> >>> Duane
> >> >>>> ----- Original Message -----
> >> >>>> From: Andrew Grimshaw
> >> >>>> To: ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
> >> >>>> Sent: Thursday, September 20, 2007 12:34 PM
> >> >>>> Subject: [ogsa-wg] Latest draft - v4
> >> >>>>
> >> >>>> All,
> >> >>>>
> >> >>>> Attached is the latest draft of the primer. Most of the
> pieces are
> >> >>>> now in place. We still need sections 3.4-3.7, and of course
> >> >>>> reviews by people. The section on the data center use case is
> >> >>>> waiting for whoever wanted it in there to write it.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> The adoption section I'd like to talk about in a conference
> call
> >> >>>> to make sure it is a) correct, and b) saying what we want it to
> >> say.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> Summary will wait till the end.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> A
> >> >>>>
> >> >>> <OGSA Primer -v5.doc>
> >>
> >>
> >> --
> >> Andreas Savva
> >> Fujitsu Laboratories Ltd
> >>
> >> --
> >> ogsa-wg mailing list
> >> ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
> >> http://www.ogf.org/mailman/listinfo/ogsa-wg
> > --
> > ogsa-wg mailing list
> > ogsa-wg at ogf.org <mailto:ogsa-wg at ogf.org>
> > http://www.ogf.org/mailman/listinfo/ogsa-wg
> >
>
> ------------------------------------------------------------------------
>
> --
> ogsa-wg mailing list
> ogsa-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20071012/bcac3636/attachment-0001.html
More information about the ogsa-wg
mailing list