<>I was able to talk with Rebekah last week. She is not currently involved with GGF however she worked on a security issue using grids for her Masters and was involved with the OGSA-Auth-WG at that time. She is an OASIS member and has participated in the security groups.

The entire WS security architecture seems overly complex to me and is focused on static definitions or rules. There are some efforts to simplify the process with a new spec called WSPL - we'll need to research that.

If a "service" wants to enforce access, then SAML+XACML can be used. Some services would most likely provide their own policy enforcement point (PEP), requiring that the service provide an auxillary service which would be SAML compliant. Therefore, it seems that an ACS implemetnation might need to implement one.
<>
It seems that "attributes" are more important than identity and roles in the WS Security mindset. I believe the thought is that roles are just other attributes and identity is a unique set of attributes. Someone please correct me here if this is wrong or overly simplified. This contrasts with the J2EE world where roles can be declared by the web.xml and then used externally to block requests or within the authenticated request processing internally for authorization decisions (isUserInRole() method).

Whether or not an ACS implementations provides a PEP service might be irrelavant as long as the provided XACML can be passed along and processed - so perhaps it can be just an implemtation detail and our spec only needs to ensure that a security policy document (using a generic term) can be supplied and updated.

References:

http://research.sun.com/projects/xacml/wspl_intro.pdf

-- 
Michael Behrens
R2AD, LLC
(571) 594-3008 (cell) *new*
(703) 714-0442 (land)