[Pgi-wg] OGF PGI - Security - Interoperability in progressbetween EGEE and OSG (using COPS)

Fri Apr 3 08:55:57 CDT 2009

Dear all,

As the presented of the authz-interop.org work, I can just confirm
that both Steven and Morris are absolutely correct.

For the techies on the list: the authz-interop work addresses the
exchange of attributes and obligations between a policy enforcement
point and a decision point, and the communications protocol to exchange
these (essentially a profile of XACML2 over SAML2). It does NOT
address the 'external' interface for any service.

	Best,
	David "sorry, no simple solutions available yet" G.

Morris Riedel wrote:
> Exactly - from my understanding its on a different level!
> 
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> 
> 
>> ------Original Message-----
>> -From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf Of
>> -Steven Newhouse
>> -Sent: Friday, April 03, 2009 3:48 PM
>> -To: Etienne Urbah; pgi-wg at ogf.org
>> -Cc: edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
>> -Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in
> progressbetween
>> -EGEE and OSG (using COPS)
>> -
>> -It is my understanding that this work addresses a very different use case
> than we
>> -have been discussing within PGI. Its a deployment that is encapsulated
> within the
>> -service infrastructure (generally within a single site) to support
> authorization
>> -decisions. Not the user/role driven authentication tokens that we have
> been
>> -discussing within PGI - our primary use case.
>> -
>> -Steven
>> -
>> -Dr Steven Newhouse
>> -EGEE Technical Director
>> -http://cern.ch/Steven.Newhouse
>> -
>> -
>> -> -----Original Message-----
>> -> From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
>> -> Of Etienne URBAH
>> -> Sent: 03 April 2009 15:38
>> -> To: pgi-wg at ogf.org
>> -> Cc: edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
>> -> Subject: [Pgi-wg] OGF PGI - Security - Interoperability in progress
>> -> between EGEE and OSG (using COPS)
>> ->
>> -> To All,
>> ->
>> ->
>> -> My previous today's mail shows that the security work of PGI is now
>> -> stuck into irreconcilable incompatibility between :
>> -> -  RFC-3820-compliant X509 certificates and proxies on one part,
>> -> -  GSI-style X509 proxies (which can be delegated) on the other part.
>> ->
>> ->
>> -> But there is some hope :  At the last MWSG meeting in Zürich, David
>> -> GROEP has performed a presentation 'AuthZ Interop report' available at
>> -> http://indico.cern.ch/materialDisplay.py?contribId=22&sessionId=3&mater
>> -> ialId=slides&confId=52862
>> ->
>> -> This presentation describes current work in good progress begun in 2007
>> -> on security interoperability between OSG and EGEE, with the help of
>> -> Globus and Condor teams.
>> ->
>> -> This work uses the Common Open Policy Service (COPS) model defined in
>> -> RFC 2748 at http://tools.ietf.org/html/rfc2748
>> ->
>> -> COPS defines at least following 2 concepts :
>> -> -  PDP = Policy Decision Point
>> -> -  PEP = Policy Enforcement Point
>> ->
>> -> Interoperability is achieved through an AuthZ Interop Profile, based on
>> -> the SAML v2 profile of XACML v2.
>> ->
>> -> There are production deployments in OSG and EGEE.
>> ->
>> ->
>> -> So I suggest that, before reinventing the wheel, we study in detail the
>> -> above mentioned document, in order to quickly know :
>> -> -  The problems which they are encountering,
>> -> -  The solutions which they are founding,
>> -> -  The interoperable components which they are deploying and which we
>> -> could reuse,
>> -> -  ...
>> ->
>> ->
>> -> Best regards.
>> ->
>> -> ----------------------------------
>> -> Etienne URBAH          IN2P3 - LAL

-- 
David Groep

** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **