[OGSA-AUTHZ] [ogsa-wg] Notes from Joint OGSA WG AuthN/AuthZ call

David Chadwick d.w.chadwick at kent.ac.uk
Thu Jun 21 11:21:06 CDT 2007

Thanks Alan

this is a very good set of minutes


Alan Sill wrote:
> OGSA AuthN/AuthZ joint call
> Chris
> David
> Mark Morgan
> Andrew Grimshaw
> FrankSiebenlist
> Jack
> Hiro Kishimoto
> Alan Sill
> Andreas Savva
> Stephen
> Agenda items:
> OGSA-AuthZ update (David Chadwick)
> OGSA-AuthN update (Alan Sill)
> David summarized the current state of the OGSA-AuthZ work.  No  
> progress or changes have taken place since OGF-20 on the document set  
> from the AuthZ work groupl
> Jargon for below:
> PDP = policy decision point
> PEP = policy enforcement point
> PIP = policy information point
> GFD-66 and 67 (65?) status
> GFD-66 was intended to describe the relation between PDPs and PEPs
> Previous version of GFD-66 based on SAML 1.1 was implemented by  
> several groups and found to be insufficient.
> An architecture document was written by David and others to propose 3  
> protocols: one for pull of credentials from an IdP or AA according to  
> any of several protocols profiled by OASIS and others, an XACML  
> protocol, and a credential validation service profile defined  
> according to WS-trust.  Alan requested that David get a document  
> number for this architecture document and David agreed to move this  
> along the path to formalization.  It would be good to publish this as  
> an informational document, with the 3 protocols pulled into separate  
> documents.
> Frank said that progress at Argonne on this has been slowed by work  
> being done for GT4.2 - all security programmers have been pulled onto  
> that work and have not had sufficient time available for standards work.
> GFD-66 had value but does not extend to sufficiently realistic  
> complex real-world use case requirements, for example validating  
> signed credentials, interactions with PIPs, etc.
> For requirements gathering, David put up a wiki but got very few  
> submissions.  Stephen points out that people see a need for security  
> but do not see the relevance of the work done here, and socialization  
> of the work being done here is not sufficiently seen as connected to  
> real-world needs.  Alan agreed that this is an important component of  
> the work and is exactly what Duane, mark and Andrew have been trying  
> to do in the requirements-gathering work they have been doing for the  
> short-term AuthN documentation work they have been done.
> Frank did not understand the disconnect, as the XACML work for  
> example has been driven by strong communication between developers  
> and community segments that have requested this work.  Andrew says  
> that the exercise of writing a use-case document has proven itself  
> even in circumstances in which the use cases are thought to be well- 
> known.  Stephen and Alan felt this to be true even though writing  
> such documents can be a chore.
> People are often stuck on simple cases when the community doing work  
> on standards is often focused on more advanced use cases.    Andrew  
> pointed out that documenting even the simple use cases is of value  
> and must be written down to get rid of this barrier for users; some  
> of the work being done for the HPC profile was driven by this need.
> Last week David sent out a document written from the point of view of  
> Authorization meant to match some of the current "simple AuthN"  
> work.  Mark more or less simultaneously requested such a document.     
> Discussion followed as to whether AuthZ can be folded into the  
> current security profile "express" documentation work being done, or  
> instead whether another document to address "express authZ" should be  
> written.  Andrew prefers simple short documents over grand scheme  
> documents at this stage.  Another document in this series entitled  
> "OGSA Security Profile 2.0 - Authorization" would be helpful.  David  
> agreed to look at this and will go through the current set from this  
> perspective.
> Moving on to authentication topics Alan is ready now to restart work  
> on the OGSA-AuthN topics.  Motivations here include examining the  
> technical requirements of implementations and ensuring that the  
> documentation and standards set offered by OGSA is sufficiently  
> flexible and well-specified to allow interoperable implementations  
> based on different technologies.  As an example, Alan asks why Ws- 
> Security is so SOAP-oriented, when grid implementations can be  
> written based on the same WSDL and XML that could provide code using  
> different RPC methods?  Other motivations include ensuring that  
> Shibboleth grid integration can be done on a well-defined standards  
> basis within OGSA, and while this is largely an AuthZ question, we  
> need to make sure that the OGSA-AuthN pieces and basis for this work  
> are sufficiently documented, understood and specified.  A  
> documentation call series will be started sometime in July to get  
> this work going.
> Simultaneously, work should be continued to complete the "express  
> profile" documentation series.
> Hiro asked about the timing of the next joint call.  David has Sep.  
> 13 down as the next joint call.  Hiro offered time at the Sunnyvale  
> F2F Aug. 13-16.
> Alan Sill, Ph.D
> TIGRE Senior Scientist, High Performance Computing Center
> Adjunct Professor of Physics
> ====================================================================
> :  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
> :  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
> ====================================================================
> --
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg


David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


More information about the ogsa-authz-wg mailing list