[ogsa-wg] Notes from Joint OGSA WG AuthN/AuthZ call
Alan Sill
Alan.Sill at ttu.edu
Thu Jun 21 10:15:50 CDT 2007
OGSA AuthN/AuthZ joint call
Chris
David
Mark Morgan
Andrew Grimshaw
FrankSiebenlist
Jack
Hiro Kishimoto
Alan Sill
Andreas Savva
Stephen
Agenda items:
OGSA-AuthZ update (David Chadwick)
OGSA-AuthN update (Alan Sill)
David summarized the current state of the OGSA-AuthZ work. No
progress or changes have taken place since OGF-20 on the document set
from the AuthZ work groupl
Jargon for below:
PDP = policy decision point
PEP = policy enforcement point
PIP = policy information point
GFD-66 and 67 (65?) status
GFD-66 was intended to describe the relation between PDPs and PEPs
Previous version of GFD-66 based on SAML 1.1 was implemented by
several groups and found to be insufficient.
An architecture document was written by David and others to propose 3
protocols: one for pull of credentials from an IdP or AA according to
any of several protocols profiled by OASIS and others, an XACML
protocol, and a credential validation service profile defined
according to WS-trust. Alan requested that David get a document
number for this architecture document and David agreed to move this
along the path to formalization. It would be good to publish this as
an informational document, with the 3 protocols pulled into separate
documents.
Frank said that progress at Argonne on this has been slowed by work
being done for GT4.2 - all security programmers have been pulled onto
that work and have not had sufficient time available for standards work.
GFD-66 had value but does not extend to sufficiently realistic
complex real-world use case requirements, for example validating
signed credentials, interactions with PIPs, etc.
For requirements gathering, David put up a wiki but got very few
submissions. Stephen points out that people see a need for security
but do not see the relevance of the work done here, and socialization
of the work being done here is not sufficiently seen as connected to
real-world needs. Alan agreed that this is an important component of
the work and is exactly what Duane, mark and Andrew have been trying
to do in the requirements-gathering work they have been doing for the
short-term AuthN documentation work they have been done.
Frank did not understand the disconnect, as the XACML work for
example has been driven by strong communication between developers
and community segments that have requested this work. Andrew says
that the exercise of writing a use-case document has proven itself
even in circumstances in which the use cases are thought to be well-
known. Stephen and Alan felt this to be true even though writing
such documents can be a chore.
People are often stuck on simple cases when the community doing work
on standards is often focused on more advanced use cases. Andrew
pointed out that documenting even the simple use cases is of value
and must be written down to get rid of this barrier for users; some
of the work being done for the HPC profile was driven by this need.
Last week David sent out a document written from the point of view of
Authorization meant to match some of the current "simple AuthN"
work. Mark more or less simultaneously requested such a document.
Discussion followed as to whether AuthZ can be folded into the
current security profile "express" documentation work being done, or
instead whether another document to address "express authZ" should be
written. Andrew prefers simple short documents over grand scheme
documents at this stage. Another document in this series entitled
"OGSA Security Profile 2.0 - Authorization" would be helpful. David
agreed to look at this and will go through the current set from this
perspective.
Moving on to authentication topics Alan is ready now to restart work
on the OGSA-AuthN topics. Motivations here include examining the
technical requirements of implementations and ensuring that the
documentation and standards set offered by OGSA is sufficiently
flexible and well-specified to allow interoperable implementations
based on different technologies. As an example, Alan asks why Ws-
Security is so SOAP-oriented, when grid implementations can be
written based on the same WSDL and XML that could provide code using
different RPC methods? Other motivations include ensuring that
Shibboleth grid integration can be done on a well-defined standards
basis within OGSA, and while this is largely an AuthZ question, we
need to make sure that the OGSA-AuthN pieces and basis for this work
are sufficiently documented, understood and specified. A
documentation call series will be started sometime in July to get
this work going.
Simultaneously, work should be continued to complete the "express
profile" documentation series.
Hiro asked about the timing of the next joint call. David has Sep.
13 down as the next joint call. Hiro offered time at the Sunnyvale
F2F Aug. 13-16.
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
More information about the ogsa-wg
mailing list