FYI, this has also been discussed extensively in an OGSA-WG - AuthZ-WG
joint teleconference -- see minutes attached. Action items from that
meeting include another teleconference in 2 weeks (Dec. 19), and a
request from the OGSA-WG to have people attend a January face-to-face
with some coverage on that topic. Frank Siebenlist is planning to
attend the latter meeting, as far as I know.
My take on this is that we are or have the opportunity to be in good
communication with the standards community on this topic, that the
standards to be discussed are those of language and interoperability
(e.g SAML 2, XACML 3) and not those of specific implementations or
schema, but that increased participation from e.g. the privilege
project and VOBox - oriented community is necessary to work in the
direction of an attribute-based authorization standard that fits our
usage model.
Having people participate in these discussions can raise them from the
dead, and make it possible to work towards an attribute-based
authorization standard with wide acceptance that can be as accepted as
our authentication standards and lay the groundwork for future
interoperability efforts with other such projects. Further
participation by everyone is welcome.
Alan
From: hiro.kishimoto@jp.fujitsu.com
Subject: [OGSA-AUTHZ] [Fwd: [ogsa-wg] Teleconference minutes - 21
November 2005]
Date: November 22, 2005 2:44:10 AM CST
To: ogsa-authz@ggf.org, andreas.savva@jp.fujitsu.com
Hi all,
OGSA-AuthZ and OGSA-WG joint call minutes attached.
Thanks to Alan Sill and Andreas Savva for taking notes.
--
Hiro Kishimoto
From: Andreas Savva
Hi Bob,
GGF16 at Athens overlaps with chep06 in Mumbai. We have two accepted talks in Mumbai, one on authz for CE and one on authz for SE, both including role based authentication.
We also recently (at the Ultralight meeting at Caltech) discussed future use of the saml callout for obligations related to networking, in addition to the ones for CE & SE. We settled on a tentative schedule of late spring for work in this area, if I recall correctly. Rick Cavenaugh (UFL) would probably know for sure what we agreed on as tentative schedule.
Present status on OSG, the role based authz is deployed for CE at many places, and for SE at one place, UCSD. It's been deployed in the production installation of dcache for cms during LHC service challenge 3. Though, I'm not certain that the cms sc3 data was written using a cert with a role. Abhishek can comment on that.
It's not clear to me what level input would be apropriate on these things for GGF16.
Thanks, frank
Cowles, Robert D. wrote:
FYI
-----Original Message----- From: Kelsey, DP (David) [mailto:D.P.Kelsey@rl.ac.uk] Sent: Wednesday, November 30, 2005 8:39 AM To: Åke Edlund; Dane Skow; Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: RE: MWSG in Amsterdam
Dear All,
Well. I submitted a proposal via the GGF16 web form. I attach what I submitted. Its far from perfect and I apologise that there was not enough time to discuss this with you before it went in. I am sure there will be many suggestions and complaints about what I said. So... Please provide these now and we can update our plans during the next 10 days.
Dane and Olle... Please can you lobby in appropriate places to increase our chances of success?
I am on leave now until Tuesday 6th December so don't expect instant replies from me.
Best regards (and thanks for agreeing (silently) to co-organise. If you wish to remove your name please also shout!) Dave
----------------------------------
GGF16 Community Program Proposal D Kelsey 30 Nov 2005
Proposers Name David Kelsey Affiliation CCLRC Rutherford Appleton Laboratory, UK email address d.p.kelsey@rl.ac.uk Proposed title Grid Authorization - Interoperability here and now Session type Workshop Proposed Duration Half-day Target audience Technical experts and interested parties. Estimated number of attendees 50 (hopefully more)
Abstract ---------------- This workshop will consider short-term (now and next two years) Grid Authorization and Policy implementations, requirements and issues. It will investigate what improvements can be made to encourage and facilitate interoperability between Grid operational infrastructures. It will also consider lessons learned from today's implementations for the Grid security standards activities in GGF for the longer-term future.
Synopsis ---------------- This is very much a draft. There has not been enough time to discuss with co-organisers. Apologies. We plan to provide a better/proper size version by 9th December. Dane Skow encouraged me to submit now to meet the deadline with this incomplete plan. The following people are currently co-organizers of this workshop. More may volunteer later. The push has come from the GGF Security Area. We would like to find some co-organizers from the application communities and Grid operations.
Bob Cowles (SLAC and OSG Security co-chair) Ake Edlund (KTH and EGEE Director of Security) David Groep (NIKHEF and IGTF chair) David Kelsey (CCLRC and LCG/EGEE Joint Security Policy Group chair) Olle Mulmo (KTH and GGF Security Area Director) Dane Skow (FNAL and GGF Security Area Director) Von Welch (NCSA and Globus Alliance)
The goals of the workshop are as described in the Abstract.
Target audience Technical experts and interested parties. Grid security developers, Grid deployers (operational infrastructures) and Grid users (application communities)
Background. Much effort has been put into the work on Grid Authentication, culminating in the successful launch at GGF15 of the International Grid Trust Federation (IGTF). The work of IGTF and its three regional Policy Management Authorities ensures that Grid Users can obtain a single electronic identity (X.509 certificate) and use this on any Grid infrastructure which has decided to use the CA's from IGTF. Grid Authorization is much less mature. Many large-scale application communities (VOs) are global in nature and have the need to access multiple Grid infrastructures. While Authentication is performed at the employing institute level, the Authorization (AuthZ) assertions need to be controlled at the VO level. The VO (global) policy assertions then need to be combined with local (site-level) policy specifications before an Authorization decision can be made and enforced. There is a very important requirement for interoperability in AuthZ between Grids in terms of protocols and evaluation of the AuthZ/Policy assertions so that different implementations can interwork and reach the same AuthZ decisions.
Outline of the foreseen agenda. We will invite/solicit talks from current operational Grid Infrastructures and also from Application communities requiring the ability to run applications across multiple Grids. These will describe their current (and short-term future) implementations of AuthZ and policy. There may be room for Grid security developers to present their status and plans but this has been done before (e.g. at GGF15) and is not the main thrust of the workshop. A major component of the workshop is a discussion session (perhaps in the form of a panel) to investigate the lessons learned from the earlier presentations both for improving short-term interoperability and as input to longer-term standardisation.
As well as copies of slides shown we plan to produce a document describing the issues identified and conclusions from the discussion.
------------------------------------ Technology requirements Standard A/V
Prerequisite skills Some understanding of Grid security concepts. Appreciation of requirements for Authorization and/or Policy and interoperability between Grid infrastructures
Technological requirements for participants Not sure what this means? How is it different from prerequisite skills?
Suggestions on how to advertise Via appropriate GGF area mail lists (e.g. security) Via targeted mails to known Grid infrastructure projects, application communities and known developers
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: Kelsey, DP (David) Sent: 30 November 2005 11:40 To: 'Åke Edlund'; Dane Skow Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: RE: MWSG in Amsterdam
Dear all,
I will submit something today. It won't be fully polished and certainly won't contain the 1000-3000 words and I'm afraid there will be no time to discuss what I submit much before I do it.
I plan to go for a half-day community workshop called "Authorization - Interoperability here and now" and aim it at developers (authZ and policy) and users (Grid infrastructures and application communities). We will invite talks on current AuthZ/Policy implementations (as used today), issues and (short-term) future plans and end up with a panel discussing what needs to be done to promote interoperability in the short term and what lessons are there longer term for standards and future developments.
I will take the liberty of naming all people receiving this mail as the "organisers". Hope this is OK.
If Dane and Olle can then support, we can hopefully put off the need for a more polished plan until the end of next week.
Immediate comments, suggestions welcome. I intend to submit at about 15:00 (UK time - ie GMT) this afternoon. I will send you what I submit.
Regards Dave
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: Åke Edlund [mailto:edlund@pdc.kth.se] Sent: 30 November 2005 08:17 To: Dane Skow; Kelsey, DP (David) Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: Re: MWSG in Amsterdam
Hi all, I'm stuck in the EU review of EGEE (and holidays between the rehearsal and the real review (next week)). I'll be able to do work on this starting on Thursday next week, i.e. December 8. Too late? Cheers, Ake
On 05-11-29 19.45, "Dane Skow"
wrote: Another bit of information on this: I mentioned our
thinking about a
workshop on AuthZ at GGF16 to Robert Fogel (the GGF Vice-Chair for community) and Mark Linesch at SuperComputing and how it might mesh
with the desire for an open "Inter-grid Interoperability" meeting. They are very positive, so I suspect that a proposal from a committed
group of core organizers with a sketchy proposal would hold
the door
open for a week or so. The immediate needs is to understand the logistical and participant demands and overlaps (however travel plan
deadlines are fast approaching). They suggested that such a
workshop
would be best later in the week with the Inter-grid meeting early.
I am willing to help with a workshop, but have too many
balls in the
air just now to drive this forward (and can't afford to be
"promoted"
like David ;-)). I've added Von to the list since I vaguely
recall he
(or Jim Basney ?) indicated willingness to help as well.
Dane
On Nov 29, 2005, at 12:15 PM, Kelsey, DP (David) wrote:
Ake, Dane et al,
I agree that the idea to go for a community track workshop sounds good. I am afraid that I have had far too little time recently to push forward on the GGF16 plans, in spite of the fact that my name seems to have moved from my initial offer of "help" at GGF15 to "leading" :=)
Anyway... I have just looked at the GGF16 mechanisms for
requesting
sessions.
1. For general group-related sessions there is a web page... http://www.ggf.org/gf/session_request/
(Dane told us about this soon after GGF15)
2. For the community track, there is also a web form... http://www.ggf.org/ggf_events_communityInvolvmentProposal.htm
BUT, I have just noticed two frightening things....
A. The deadline is 30th November (TOMORROW) B. The form requires a 1000-3000 Synopsis, describing
goals, outline
etc etc
I am sorry to have to report that I just don't have time to tackle
writing such a proposal this week? Is anyone else able/willing to take this on?
Regards Dave
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
> -----Original Message----- > From: Åke Edlund [mailto:edlund@pdc.kth.se] > Sent: 29 November 2005 15:02 > To: Dane Skow; Kelsey, DP (David) > Cc: Cowles, Robert D.; Olle Mulmo; David Groep > Subject: Re: MWSG in Amsterdam > > > Added Dave to the thread. > Cheers, > Ake > > > On 05-11-29 15.59, "Åke Edlund"
wrote: > > >> Hi Dane, >> >> Too bad to hear you can't join. Bob will, I hope? >> >> About the AuthZ/Intergrid workshop for Athens: >> >> From the slides at the MWSG: >> --- >> 1) Authz workshop at GGF16 >> ³Interop here and now², planning for the next ~2 years >> Dave & Von & >> Åke >> >> 2) MWSG info session at GGF16 as well!?!?!? >> Outreach & dissemination (Ake)" >> --- >> I see Dave as lead for 1) and I see 2) as a short 0,5-1 hr >> presentation. >> >> Still, I got an idea from David Groep: to have a GGF >> > Community track > >> workshop" for a full afternoon (maybe by combining both >> > things 1) and > >> 2)). Inspired by the GGF15 AuthZ WS. >> >> Is this too late? Is it a good idea? How to book? >> >> Best, >> Ake >> > >
==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================