[caops-wg] Re: [TG-SECURITY] Draft Proposal for AuthZ workshop at GGF16

5 Dec 2005

      FYI, this has also been discussed extensively in an OGSA-WG - AuthZ-WG  
joint teleconference -- see minutes attached.  Action items from that  
meeting include another teleconference in 2 weeks (Dec. 19), and a  
request from the OGSA-WG to have people attend a January face-to-face  
with some coverage on that topic.  Frank Siebenlist is planning to  
attend the latter meeting, as far as I know.

My take on this is that we are or have the opportunity to be in good  
communication with the standards community on this topic, that the  
standards to be discussed are those of language and interoperability  
(e.g SAML 2, XACML 3) and not those of specific implementations or  
schema, but that increased participation from e.g. the privilege  
project and VOBox - oriented community is necessary to work in the  
direction of an attribute-based authorization standard that fits our  
usage model.

Having people participate in these discussions can raise them from the  
dead, and make it possible to work towards an attribute-based  
authorization standard with wide acceptance that can be as accepted as  
our authentication standards and lay the groundwork for future  
interoperability efforts with other such projects.  Further  
participation by everyone is welcome.

Alan

	From: 	  hiro.kishimoto@jp.fujitsu.com
	Subject: 	[OGSA-AUTHZ] [Fwd: [ogsa-wg] Teleconference minutes - 21  
November 2005]
	Date: 	November 22, 2005 2:44:10 AM CST
	To: 	  ogsa-authz@ggf.org, andreas.savva@jp.fujitsu.com

Hi all,

OGSA-AuthZ and OGSA-WG joint call minutes attached.
Thanks to Alan Sill and Andreas Savva for taking notes.
--  
Hiro Kishimoto

From: Andreas Savva 
Date: November 22, 2005 2:20:12 AM CST
To: "'ogsa-wg'" 
Subject: [ogsa-wg] Teleconference minutes - 21 November 2005

Minutes attached. Thanks to Alan Sill for his excellent notes of the
AuthZ discussion.

https://forge.gridforum.org/projects/ogsa-wg/document/minutes-20051121/ 
en/1
-- 
Andreas Savva
Fujitsu Laboratories Ltd
OGSA Teleconfererence - 21 November 2005
========================================

* Participants

   Pete Ziu (Northrop Grumman)
   Von Welch (NCSA)
   Alan Sill (Texas Tech Univ.)
   Frank Siebenlist (ANL)
   Andreas Savva (Fujitsu)
   Takuya Mori (NEC)
   Mark Morgan (UVa)
   Tom Maguire (EMC)
   Fred Maciel (Hitachi)
   Hiro Kishimoto (Fujitsu
   Dave Berry (NeSC)
   Michael Behrens (R2AD, LLC)

   Apologies: Ellen Stokes

   Minutes: Andreas Savva, Alan Sill

* November 16 minutes approved with no changes

* OGSA AuthZ Joint Call

** Background

    Alan described OSG, EGEE and made mention of GridShib efforts, and
    the desire to support a more standards-based approach to
    attribute-based authorization.  A strong desire exists both within
    the user communities and at the funding agency level, he believes,
    for a standards-based approach to authorization that can
    interoperate with and be complementary to the existing
    standards-based approach to CA operations being taken by the
    CAOps-WG and the PMA technical community.  (cf. http://gridpma.org
    for the IGTF = International Grid Trust Federation and its member
    organizations.)  He also noted that there is ongoing research and
    work being done to extend and supplement the "classic PKI"
    authentication profile, for example with the Short-Lived Credential
    Service (SLCS) profile being considered by TAG PMA (The Americas
    Grid PMA) and about to come up for voting there.

** Future directions (OGSA services, federated authentication)

    Frank said most important task is to come up with an improved
    authorization query interface. The present one is based on SAML
    1.1 and lacks features needed to communicate easily such
    attributes as groups and roles. Version 2 of the OGSA AuthZ
    specification needs to define interfaces so such attributes can be
    communicated more easily.  The hope is to leverage part of the work
    done in the OASIS XACML TC for the XACML 3.0 spec. (Frank is a
    member of the TC.) The TC has come to some agreement on how to
    proceed and is preparing to write up WSDL, etc. Ideally this could
    be used as is provided it fits the Grid requirements.

    At the last GGF, the two groups had separate face-to-face meetings
    at the same time, which interfered with progress.  Alan noted that
    there was good attendance at the AuthZ GGF15 wrap-up meeting,
    nonetheless.

    Von Welch agreed with the above summary of priorities, but noted
    that there is a need for far more people and fresh blood.  Alan
    added that he would like to see representation from at least 3
    communities: the OSG Privilege Project authors, the LCG Joint
    Security Group, and members of the Shibboleth community who are
    interested in working in the direction of international
    standards.

    Hiro asked what would be required to use the XACML v3 query i/f
    with the OGSA WSRF BP. Frank and Tom agreed that the XACML i/f
    would be complementary to the BP and it should be possible to
    compose the two. There is no reason to have a WSRF-specific XACML
    i/f.

    Hiro asked whether standardizing on the schema or alternatively on
    a language for defining attribute characteristics is preferable.
    Alan responded that from his point of view, the latter (an
    attribute language) is preferable, as schema can become outdated
    and attribute spaces are by their nature extensible, and that a
    possible reason for failure of previous AuthZ efforts might be due
    to attempts to overly specify the schema. (Since it is not possible
    to do an exhaustive definition of the attributes.)

** OGSA-AuthZ WG status update (specs)

   - Is there a plan to produce a new version of the Attributes
     specification?

     It is important for people who are implementing this specification
     to come forward and join the discussion. The WG has to see what is
     being adopted and what needs to be done before moving forward.

     Alan volunteered to take this discussion to VOMS and try to get
     people to join.

   - What is the status of the submitted AuthZ documents?

     The Attributes document completed its public comment period and
     was returned back to the authors for revision.

     There was some uncertainty on the call whether this document was
     pulled out of the process altogether or whether it was going to
     move forward after changing its type to Experimental.

     There was also an issue with making it WSRF based, or combinable
     with the OGSA WSRF profile.

     Von will check the status of this document.

** Next steps

    Hiro suggested to have another joint call in Dec.; it was set for
    the OGSA call on Dec. 19 (Mon.).

    Hiro also asked whether AuthZ WG members can attend the next OGSA
    F2F in Sunnyvale in January (week of 16).
    - It was pointed out that the AuthZ specific discussion is likely
      to be occupy a very small slot (1-2 hours) during the 5 day
      meeting.
    - Frank Siebenlist will attend in person.
    - Von and Alan may join by phone if it is not possible to attend
      in-person.

    Agreed to advertise both the joint call and the F2F and try to get
    wider participation.

* Profile Definition Review
   - Tom changed his Affiliation.
   - Consensus on the call not to add implementation status examples.
   - Agreed that the change from "In other words" to "For example" in
     the last sections and related changes in wording are appropriate.
   - Other minor wording changes.

   Tom will accept all changes, post a new draf and announce a final
   call to list, lasting to next week Wednesday. (This is to allow for
   people who may be on holiday this week.)

   Tom will also reply to comments on the public forum.

* Security Profile - Secure Channel Review

   - Using version sent out by Hiro to the list.

** Tracker review
    (Numbers correspond to tracker artifacts)

   - 1657: added; close.
   - 1658: MLS is dropped; close.
   - 1659: No problem using SSL; close.
   - 1662: Checked that there are no significant changes that affect
     this profile; updated; fixed.
   - 1663: Updated to remove dependency; fixed.
   - 1685: Added secure channel definition: fixed
     - Does any part of this definition imply encryption? Yes,
       integrity does.
   - 1697: Revised the list but the explanatory text still needs work
     to make clearer what the profile is doing. It is ok to combine
     some of these items if it will make the explanation easier.
     - Takuya to draft some text and review with Andreas
   - 1698: Strictly speaking the features described in section 3.4 and
     section 4 are orthogonal to the rest of the profile. Tokens, and
     the key exchange mini-specification would apply to both TLS and
     MLS.
     - If this text is left here then the MLS profile would have to
       depend on this profile; or worse, duplicate the same text.
     - Frank proposed that if these sections are needed in general then
       it might be worth deleting these sections from the Secure
       Channel Profiel and adding them to the WSRF Basic Profile.
     - Agreed, in principle, to remove the sections from this spec. and
       discuss how to make them apply to any profile.
     - Andreas proposed that these sections should be part of a Basic
       Security Profile and that Profile could then be combined with
       the WSRF BP or be referenced by the Channel profiles. The Claim
       URI mechanism defined in the WSRF BP allows multiple Security
       profiles to be composed with it so there would be no problem
       with this approach.
     - Hiro proposed that such a Basic Security Profile could also
       serve as an 'anonymous' channel profile (one that makes no
       statements on channel security) and could also solve the problem
       of having a separate, essentially empty, profile document with
       no security statements.
     - Andreas was tasked to write up the proposal for splitting up the
       Secure Channel Profile and send it to the list to collect
       feedback from stakeholders not on the call.

* UML Tool Choice

   - No opposition on the list or the call for the Rational choice.
     - Agreed that there are a couple of things that need to be cleared
       up, and until that time the choice is still tentative.
     - Hiro to follow up with Ellen on the IBM liaison and with the GGF
       Office and make sure that we can use the tool for GGF work.

   - Mike proposed that CDs should be made available at the next F2F.

* OGSA 1.5 review
   - Postponed due to lack of time.

* Next call

   - OGSA 1.5 review
   - Basic security profile discussion

On Dec 5, 2005, at 2:37 AM, Frank Wuerthwein wrote:
...
Hi Bob,
GGF16 at Athens overlaps with chep06 in Mumbai.
We have two accepted talks in Mumbai, one on authz for CE and one on  
authz for SE,
both including role based authentication.
We also recently (at the Ultralight meeting at Caltech) discussed  
future use of the saml callout
for obligations related to networking, in addition to the ones for CE  
& SE. We settled on a
tentative schedule of late spring for work in this area, if I recall  
correctly. Rick Cavenaugh (UFL)
would probably know for sure what we agreed on as tentative schedule.
Present status on OSG, the role based authz is deployed for CE at many  
places, and for SE
at one place, UCSD. It's been deployed in the production installation  
of dcache for cms during
LHC service challenge 3.  Though, I'm not certain that the cms sc3  
data was written using a cert with a role.
Abhishek can comment on that.
It's not clear to me what level input would be apropriate on these  
things for GGF16.
Thanks, frank
Cowles, Robert D. wrote:
...
FYI
-----Original Message-----
From: Kelsey, DP (David) [mailto:D.P.Kelsey@rl.ac.uk] Sent:  
Wednesday, November 30, 2005 8:39 AM
To: Åke Edlund; Dane Skow; Cowles, Robert D.; Olle Mulmo; David  
Groep; Von Welch
Subject: RE: MWSG in Amsterdam
Dear All,
Well. I submitted a proposal via the GGF16 web form. I attach what I  
submitted. Its far from perfect and I apologise that there was not  
enough time to discuss this with you before it went in. I am sure  
there will be many suggestions and complaints about what I said.  
So... Please provide these now and we can update our plans during the  
next 10 days.
Dane and Olle... Please can you lobby in appropriate places to  
increase our chances of success?
I am on leave now until Tuesday 6th December so don't expect instant  
replies from me.
Best regards
(and thanks for agreeing (silently) to co-organise. If you wish to  
remove your name please also shout!)
Dave
----------------------------------
GGF16 Community Program Proposal
D Kelsey
30 Nov 2005
Proposers Name		David Kelsey
Affiliation			CCLRC Rutherford Appleton Laboratory, UK
email address		d.p.kelsey@rl.ac.uk
Proposed title		Grid Authorization - Interoperability here and now
Session type		Workshop
Proposed Duration	Half-day
Target audience		Technical experts and interested parties.
Estimated number of attendees	50 (hopefully more)
Abstract
----------------
This workshop will consider short-term (now and next two years) Grid  
Authorization and Policy implementations, requirements and issues. It  
will investigate what improvements can be made to encourage and  
facilitate interoperability between Grid operational infrastructures.  
It will also consider lessons learned from today's implementations  
for the Grid security standards activities
in GGF for the longer-term future.
Synopsis		
----------------
This is very much a draft. There has not been enough time to discuss
with co-organisers. Apologies. We plan to provide a better/proper size
version by 9th December. Dane Skow encouraged me to submit now to meet
the deadline with this incomplete plan.
The following people are currently co-organizers of this workshop.  
More
may volunteer later. The push has come from the GGF Security Area. We
would like to find some co-organizers from the application communities
and Grid operations.
Bob Cowles	(SLAC and OSG Security co-chair)
Ake Edlund	(KTH and EGEE Director of Security)
David Groep	(NIKHEF and IGTF chair)
David Kelsey	(CCLRC and LCG/EGEE Joint Security Policy Group chair)		
Olle Mulmo	(KTH and GGF Security Area Director)			
Dane Skow	(FNAL and GGF Security Area Director)
Von Welch	(NCSA and Globus Alliance)
The goals of the workshop are as described in the Abstract.
Target audience
Technical experts and interested parties.
Grid security developers, Grid deployers (operational infrastructures)
and Grid users (application communities)
Background. Much effort has been put into the work on Grid  
Authentication,
culminating in the successful launch at GGF15 of the International  
Grid
Trust Federation (IGTF). The work of IGTF and its three regional  
Policy
Management Authorities ensures that Grid Users can obtain a single
electronic identity (X.509 certificate) and use this on any Grid
infrastructure which has decided to use the CA's from IGTF. Grid
Authorization is much less mature. Many large-scale application
communities (VOs) are global in nature and have the need to access
multiple Grid infrastructures. While Authentication is performed at  
the
employing institute level, the Authorization (AuthZ) assertions need  
to
be controlled at the VO level. The VO (global) policy assertions then
need to be combined with local (site-level) policy specifications  
before
an Authorization decision can be made and enforced. There is a very
important requirement for interoperability in AuthZ between Grids in
terms of protocols and evaluation of the AuthZ/Policy assertions so  
that
different implementations can interwork and reach the same AuthZ
decisions.
Outline of the foreseen agenda.
We will invite/solicit talks from current operational Grid
Infrastructures and also from Application communities requiring the
ability to run applications across multiple Grids. These will describe
their current (and short-term future) implementations of AuthZ and
policy. There may be room for Grid security developers to present  
their
status and plans but this has been done before (e.g. at GGF15) and is
not the main thrust of the workshop. A major component of the workshop
is a discussion session (perhaps in the form of a panel) to  
investigate
the lessons learned from the earlier presentations both for improving
short-term interoperability and as input to longer-term  
standardisation.
As well as copies of slides shown we plan to produce a document
describing the issues identified and conclusions from the discussion.
------------------------------------
Technology requirements Standard A/V
Prerequisite skills	Some understanding of Grid security concepts.  
      	Appreciation of requirements for Authorization and/or Policy
      	and interoperability between Grid infrastructures
Technological requirements
for participants
      	Not sure what this means? How is it different from
      	prerequisite skills?
Suggestions on how to advertise
      	Via appropriate GGF area mail lists (e.g. security)
      	Via targeted mails to known Grid infrastructure projects,  
application communities
      	and known developers
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
...
-----Original Message-----
From: Kelsey, DP (David) Sent: 30 November 2005 11:40
To: 'Åke Edlund'; Dane Skow
Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch
Subject: RE: MWSG in Amsterdam
Dear all,
I will submit something today. It won't be fully polished and  
certainly won't contain the 1000-3000 words and I'm afraid there  
will be no time to discuss what I submit much before I do it.
I plan to go for a half-day community workshop called "Authorization  
- Interoperability here and now" and aim it at developers (authZ and  
policy) and users (Grid infrastructures and application  
communities). We will invite talks on current AuthZ/Policy  
implementations (as used today), issues and (short-term) future  
plans and end up with a panel discussing what needs to be done to  
promote interoperability in the short term and what lessons are  
there longer term for standards and future developments.
I will take the liberty of naming all people receiving this mail as  
the "organisers". Hope this is OK.
If Dane and Olle can then support, we can hopefully put off the need  
for a more polished plan until the end of next week.
Immediate comments, suggestions welcome.  I intend to submit at  
about 15:00 (UK time - ie GMT) this afternoon. I will send you what  
I submit.
Regards
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
...
-----Original Message-----
From: Åke Edlund [mailto:edlund@pdc.kth.se]
Sent: 30 November 2005 08:17
To: Dane Skow; Kelsey, DP (David)
Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch
Subject: Re: MWSG in Amsterdam
Hi all,
I'm stuck in the EU review of EGEE (and holidays between the
rehearsal and the real review (next week)). I'll be able to do work  
on this starting on Thursday next week, i.e. December 8. Too late?  
Cheers, Ake
On 05-11-29 19.45, "Dane Skow"  wrote:
...
Another bit of information on this: I mentioned our
thinking about a
...
workshop on AuthZ at GGF16 to Robert Fogel (the GGF Vice-Chair for
community) and Mark Linesch at SuperComputing and how it
might mesh
...
...
with the desire for an open "Inter-grid Interoperability"
meeting.
They are very positive, so I suspect that a proposal from a
committed
...
group of core organizers with a sketchy proposal would hold
the door
...
open for a week or so.  The immediate needs is to understand the
logistical and participant demands and overlaps (however
travel plan
...
deadlines are fast approaching). They suggested that such a
workshop
...
would be best later in the week with the Inter-grid meeting early.
I am willing to help with a workshop, but have too many
balls in the
...
air just now to drive this forward (and can't afford to be
"promoted"
...
like David ;-)). I've added Von to the list since I vaguely
recall he
...
(or Jim Basney ?) indicated willingness to help as well.
Dane
On Nov 29, 2005, at 12:15 PM, Kelsey, DP (David) wrote:
...
Ake, Dane et al,
I agree that the idea to go for a community track workshop sounds
good. I am afraid that I have had far too little time
recently to
push forward on the GGF16 plans, in spite of the fact
that my name
seems to have moved from my initial offer of "help" at GGF15 to  
"leading" :=)
Anyway... I have just looked at the GGF16 mechanisms for
requesting
...
...
sessions.
1. For general group-related sessions there is a web page...
http://www.ggf.org/gf/session_request/
(Dane told us about this soon after GGF15)
2. For the community track, there is also a web form...
http://www.ggf.org/ggf_events_communityInvolvmentProposal.htm
BUT, I have just noticed two frightening things....
A. The deadline is 30th November  (TOMORROW)
B. The form requires a 1000-3000 Synopsis, describing
goals, outline
...
...
etc etc
I am sorry to have to report that I just don't have time
to tackle
...
...
...
writing such a proposal this week? Is anyone else
able/willing to
take this on?
Regards
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: Åke Edlund [mailto:edlund@pdc.kth.se]
> Sent: 29 November 2005 15:02
> To: Dane Skow; Kelsey, DP (David)
> Cc: Cowles, Robert D.; Olle Mulmo; David Groep
> Subject: Re: MWSG in Amsterdam
>
>
> Added Dave to the thread.
> Cheers,
> Ake
>
>
> On 05-11-29 15.59, "Åke Edlund"  wrote:
>
>
>> Hi Dane,
>>
>> Too bad to hear you can't join. Bob will, I hope?
>>
>> About the AuthZ/Intergrid workshop for Athens:
>>
>> From the slides at the MWSG:
>> ---
>> 1) Authz workshop at GGF16
>> ³Interop here and now², planning for the next ~2 years
>>
Dave & Von &
...
...
>> Åke
>>
>> 2) MWSG info session at GGF16 as well!?!?!?
>> Outreach & dissemination (Ake)"
>> ---
>> I see Dave as lead for 1) and I see 2) as a short 0,5-1 hr
>> presentation.
>>
>> Still, I got an idea from David Groep: to have a GGF
>>
> Community track
>
>> workshop" for a full afternoon (maybe by combining both
>>
> things 1) and
>
>> 2)). Inspired by the GGF15 AuthZ WS.
>>
>> Is this too late? Is it a good idea? How to book?
>>
>> Best,
>> Ake
>>
>
>
====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill@ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================