FYI, this has also been discussed extensively in an OGSA-WG - AuthZ-WG joint teleconference -- see minutes attached. Action items from that meeting include another teleconference in 2 weeks (Dec. 19), and a request from the OGSA-WG to have people attend a January face-to-face with some coverage on that topic. Frank Siebenlist is planning to attend the latter meeting, as far as I know. My take on this is that we are or have the opportunity to be in good communication with the standards community on this topic, that the standards to be discussed are those of language and interoperability (e.g SAML 2, XACML 3) and not those of specific implementations or schema, but that increased participation from e.g. the privilege project and VOBox - oriented community is necessary to work in the direction of an attribute-based authorization standard that fits our usage model. Having people participate in these discussions can raise them from the dead, and make it possible to work towards an attribute-based authorization standard with wide acceptance that can be as accepted as our authentication standards and lay the groundwork for future interoperability efforts with other such projects. Further participation by everyone is welcome. Alan From: hiro.kishimoto@jp.fujitsu.com Subject: [OGSA-AUTHZ] [Fwd: [ogsa-wg] Teleconference minutes - 21 November 2005] Date: November 22, 2005 2:44:10 AM CST To: ogsa-authz@ggf.org, andreas.savva@jp.fujitsu.com Hi all, OGSA-AuthZ and OGSA-WG joint call minutes attached. Thanks to Alan Sill and Andreas Savva for taking notes. -- Hiro Kishimoto From: Andreas Savva <andreas.savva@jp.fujitsu.com> Date: November 22, 2005 2:20:12 AM CST To: "'ogsa-wg'" <ogsa-wg@gridforum.org> Subject: [ogsa-wg] Teleconference minutes - 21 November 2005 Minutes attached. Thanks to Alan Sill for his excellent notes of the AuthZ discussion. https://forge.gridforum.org/projects/ogsa-wg/document/minutes-20051121/ en/1 -- Andreas Savva Fujitsu Laboratories Ltd OGSA Teleconfererence - 21 November 2005 ======================================== * Participants Pete Ziu (Northrop Grumman) Von Welch (NCSA) Alan Sill (Texas Tech Univ.) Frank Siebenlist (ANL) Andreas Savva (Fujitsu) Takuya Mori (NEC) Mark Morgan (UVa) Tom Maguire (EMC) Fred Maciel (Hitachi) Hiro Kishimoto (Fujitsu Dave Berry (NeSC) Michael Behrens (R2AD, LLC) Apologies: Ellen Stokes Minutes: Andreas Savva, Alan Sill * November 16 minutes approved with no changes * OGSA AuthZ Joint Call ** Background Alan described OSG, EGEE and made mention of GridShib efforts, and the desire to support a more standards-based approach to attribute-based authorization. A strong desire exists both within the user communities and at the funding agency level, he believes, for a standards-based approach to authorization that can interoperate with and be complementary to the existing standards-based approach to CA operations being taken by the CAOps-WG and the PMA technical community. (cf. http://gridpma.org for the IGTF = International Grid Trust Federation and its member organizations.) He also noted that there is ongoing research and work being done to extend and supplement the "classic PKI" authentication profile, for example with the Short-Lived Credential Service (SLCS) profile being considered by TAG PMA (The Americas Grid PMA) and about to come up for voting there. ** Future directions (OGSA services, federated authentication) Frank said most important task is to come up with an improved authorization query interface. The present one is based on SAML 1.1 and lacks features needed to communicate easily such attributes as groups and roles. Version 2 of the OGSA AuthZ specification needs to define interfaces so such attributes can be communicated more easily. The hope is to leverage part of the work done in the OASIS XACML TC for the XACML 3.0 spec. (Frank is a member of the TC.) The TC has come to some agreement on how to proceed and is preparing to write up WSDL, etc. Ideally this could be used as is provided it fits the Grid requirements. At the last GGF, the two groups had separate face-to-face meetings at the same time, which interfered with progress. Alan noted that there was good attendance at the AuthZ GGF15 wrap-up meeting, nonetheless. Von Welch agreed with the above summary of priorities, but noted that there is a need for far more people and fresh blood. Alan added that he would like to see representation from at least 3 communities: the OSG Privilege Project authors, the LCG Joint Security Group, and members of the Shibboleth community who are interested in working in the direction of international standards. Hiro asked what would be required to use the XACML v3 query i/f with the OGSA WSRF BP. Frank and Tom agreed that the XACML i/f would be complementary to the BP and it should be possible to compose the two. There is no reason to have a WSRF-specific XACML i/f. Hiro asked whether standardizing on the schema or alternatively on a language for defining attribute characteristics is preferable. Alan responded that from his point of view, the latter (an attribute language) is preferable, as schema can become outdated and attribute spaces are by their nature extensible, and that a possible reason for failure of previous AuthZ efforts might be due to attempts to overly specify the schema. (Since it is not possible to do an exhaustive definition of the attributes.) ** OGSA-AuthZ WG status update (specs) - Is there a plan to produce a new version of the Attributes specification? It is important for people who are implementing this specification to come forward and join the discussion. The WG has to see what is being adopted and what needs to be done before moving forward. Alan volunteered to take this discussion to VOMS and try to get people to join. - What is the status of the submitted AuthZ documents? The Attributes document completed its public comment period and was returned back to the authors for revision. There was some uncertainty on the call whether this document was pulled out of the process altogether or whether it was going to move forward after changing its type to Experimental. There was also an issue with making it WSRF based, or combinable with the OGSA WSRF profile. Von will check the status of this document. ** Next steps Hiro suggested to have another joint call in Dec.; it was set for the OGSA call on Dec. 19 (Mon.). Hiro also asked whether AuthZ WG members can attend the next OGSA F2F in Sunnyvale in January (week of 16). - It was pointed out that the AuthZ specific discussion is likely to be occupy a very small slot (1-2 hours) during the 5 day meeting. - Frank Siebenlist will attend in person. - Von and Alan may join by phone if it is not possible to attend in-person. Agreed to advertise both the joint call and the F2F and try to get wider participation. * Profile Definition Review - Tom changed his Affiliation. - Consensus on the call not to add implementation status examples. - Agreed that the change from "In other words" to "For example" in the last sections and related changes in wording are appropriate. - Other minor wording changes. Tom will accept all changes, post a new draf and announce a final call to list, lasting to next week Wednesday. (This is to allow for people who may be on holiday this week.) Tom will also reply to comments on the public forum. * Security Profile - Secure Channel Review - Using version sent out by Hiro to the list. ** Tracker review (Numbers correspond to tracker artifacts) - 1657: added; close. - 1658: MLS is dropped; close. - 1659: No problem using SSL; close. - 1662: Checked that there are no significant changes that affect this profile; updated; fixed. - 1663: Updated to remove dependency; fixed. - 1685: Added secure channel definition: fixed - Does any part of this definition imply encryption? Yes, integrity does. - 1697: Revised the list but the explanatory text still needs work to make clearer what the profile is doing. It is ok to combine some of these items if it will make the explanation easier. - Takuya to draft some text and review with Andreas - 1698: Strictly speaking the features described in section 3.4 and section 4 are orthogonal to the rest of the profile. Tokens, and the key exchange mini-specification would apply to both TLS and MLS. - If this text is left here then the MLS profile would have to depend on this profile; or worse, duplicate the same text. - Frank proposed that if these sections are needed in general then it might be worth deleting these sections from the Secure Channel Profiel and adding them to the WSRF Basic Profile. - Agreed, in principle, to remove the sections from this spec. and discuss how to make them apply to any profile. - Andreas proposed that these sections should be part of a Basic Security Profile and that Profile could then be combined with the WSRF BP or be referenced by the Channel profiles. The Claim URI mechanism defined in the WSRF BP allows multiple Security profiles to be composed with it so there would be no problem with this approach. - Hiro proposed that such a Basic Security Profile could also serve as an 'anonymous' channel profile (one that makes no statements on channel security) and could also solve the problem of having a separate, essentially empty, profile document with no security statements. - Andreas was tasked to write up the proposal for splitting up the Secure Channel Profile and send it to the list to collect feedback from stakeholders not on the call. * UML Tool Choice - No opposition on the list or the call for the Rational choice. - Agreed that there are a couple of things that need to be cleared up, and until that time the choice is still tentative. - Hiro to follow up with Ellen on the IBM liaison and with the GGF Office and make sure that we can use the tool for GGF work. - Mike proposed that CDs should be made available at the next F2F. * OGSA 1.5 review - Postponed due to lack of time. * Next call - OGSA 1.5 review - Basic security profile discussion On Dec 5, 2005, at 2:37 AM, Frank Wuerthwein wrote:
Hi Bob,
GGF16 at Athens overlaps with chep06 in Mumbai. We have two accepted talks in Mumbai, one on authz for CE and one on authz for SE, both including role based authentication.
We also recently (at the Ultralight meeting at Caltech) discussed future use of the saml callout for obligations related to networking, in addition to the ones for CE & SE. We settled on a tentative schedule of late spring for work in this area, if I recall correctly. Rick Cavenaugh (UFL) would probably know for sure what we agreed on as tentative schedule.
Present status on OSG, the role based authz is deployed for CE at many places, and for SE at one place, UCSD. It's been deployed in the production installation of dcache for cms during LHC service challenge 3. Though, I'm not certain that the cms sc3 data was written using a cert with a role. Abhishek can comment on that.
It's not clear to me what level input would be apropriate on these things for GGF16.
Thanks, frank
Cowles, Robert D. wrote:
FYI
-----Original Message----- From: Kelsey, DP (David) [mailto:D.P.Kelsey@rl.ac.uk] Sent: Wednesday, November 30, 2005 8:39 AM To: Åke Edlund; Dane Skow; Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: RE: MWSG in Amsterdam
Dear All,
Well. I submitted a proposal via the GGF16 web form. I attach what I submitted. Its far from perfect and I apologise that there was not enough time to discuss this with you before it went in. I am sure there will be many suggestions and complaints about what I said. So... Please provide these now and we can update our plans during the next 10 days.
Dane and Olle... Please can you lobby in appropriate places to increase our chances of success?
I am on leave now until Tuesday 6th December so don't expect instant replies from me.
Best regards (and thanks for agreeing (silently) to co-organise. If you wish to remove your name please also shout!) Dave
----------------------------------
GGF16 Community Program Proposal D Kelsey 30 Nov 2005
Proposers Name David Kelsey Affiliation CCLRC Rutherford Appleton Laboratory, UK email address d.p.kelsey@rl.ac.uk Proposed title Grid Authorization - Interoperability here and now Session type Workshop Proposed Duration Half-day Target audience Technical experts and interested parties. Estimated number of attendees 50 (hopefully more)
Abstract ---------------- This workshop will consider short-term (now and next two years) Grid Authorization and Policy implementations, requirements and issues. It will investigate what improvements can be made to encourage and facilitate interoperability between Grid operational infrastructures. It will also consider lessons learned from today's implementations for the Grid security standards activities in GGF for the longer-term future.
Synopsis ---------------- This is very much a draft. There has not been enough time to discuss with co-organisers. Apologies. We plan to provide a better/proper size version by 9th December. Dane Skow encouraged me to submit now to meet the deadline with this incomplete plan. The following people are currently co-organizers of this workshop. More may volunteer later. The push has come from the GGF Security Area. We would like to find some co-organizers from the application communities and Grid operations.
Bob Cowles (SLAC and OSG Security co-chair) Ake Edlund (KTH and EGEE Director of Security) David Groep (NIKHEF and IGTF chair) David Kelsey (CCLRC and LCG/EGEE Joint Security Policy Group chair) Olle Mulmo (KTH and GGF Security Area Director) Dane Skow (FNAL and GGF Security Area Director) Von Welch (NCSA and Globus Alliance)
The goals of the workshop are as described in the Abstract.
Target audience Technical experts and interested parties. Grid security developers, Grid deployers (operational infrastructures) and Grid users (application communities)
Background. Much effort has been put into the work on Grid Authentication, culminating in the successful launch at GGF15 of the International Grid Trust Federation (IGTF). The work of IGTF and its three regional Policy Management Authorities ensures that Grid Users can obtain a single electronic identity (X.509 certificate) and use this on any Grid infrastructure which has decided to use the CA's from IGTF. Grid Authorization is much less mature. Many large-scale application communities (VOs) are global in nature and have the need to access multiple Grid infrastructures. While Authentication is performed at the employing institute level, the Authorization (AuthZ) assertions need to be controlled at the VO level. The VO (global) policy assertions then need to be combined with local (site-level) policy specifications before an Authorization decision can be made and enforced. There is a very important requirement for interoperability in AuthZ between Grids in terms of protocols and evaluation of the AuthZ/Policy assertions so that different implementations can interwork and reach the same AuthZ decisions.
Outline of the foreseen agenda. We will invite/solicit talks from current operational Grid Infrastructures and also from Application communities requiring the ability to run applications across multiple Grids. These will describe their current (and short-term future) implementations of AuthZ and policy. There may be room for Grid security developers to present their status and plans but this has been done before (e.g. at GGF15) and is not the main thrust of the workshop. A major component of the workshop is a discussion session (perhaps in the form of a panel) to investigate the lessons learned from the earlier presentations both for improving short-term interoperability and as input to longer-term standardisation.
As well as copies of slides shown we plan to produce a document describing the issues identified and conclusions from the discussion.
------------------------------------ Technology requirements Standard A/V
Prerequisite skills Some understanding of Grid security concepts. Appreciation of requirements for Authorization and/or Policy and interoperability between Grid infrastructures
Technological requirements for participants Not sure what this means? How is it different from prerequisite skills?
Suggestions on how to advertise Via appropriate GGF area mail lists (e.g. security) Via targeted mails to known Grid infrastructure projects, application communities and known developers
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: Kelsey, DP (David) Sent: 30 November 2005 11:40 To: 'Åke Edlund'; Dane Skow Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: RE: MWSG in Amsterdam
Dear all,
I will submit something today. It won't be fully polished and certainly won't contain the 1000-3000 words and I'm afraid there will be no time to discuss what I submit much before I do it.
I plan to go for a half-day community workshop called "Authorization - Interoperability here and now" and aim it at developers (authZ and policy) and users (Grid infrastructures and application communities). We will invite talks on current AuthZ/Policy implementations (as used today), issues and (short-term) future plans and end up with a panel discussing what needs to be done to promote interoperability in the short term and what lessons are there longer term for standards and future developments.
I will take the liberty of naming all people receiving this mail as the "organisers". Hope this is OK.
If Dane and Olle can then support, we can hopefully put off the need for a more polished plan until the end of next week.
Immediate comments, suggestions welcome. I intend to submit at about 15:00 (UK time - ie GMT) this afternoon. I will send you what I submit.
Regards Dave
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: Åke Edlund [mailto:edlund@pdc.kth.se] Sent: 30 November 2005 08:17 To: Dane Skow; Kelsey, DP (David) Cc: Cowles, Robert D.; Olle Mulmo; David Groep; Von Welch Subject: Re: MWSG in Amsterdam
Hi all, I'm stuck in the EU review of EGEE (and holidays between the rehearsal and the real review (next week)). I'll be able to do work on this starting on Thursday next week, i.e. December 8. Too late? Cheers, Ake
On 05-11-29 19.45, "Dane Skow" <dane@fnal.gov> wrote:
Another bit of information on this: I mentioned our
thinking about a
workshop on AuthZ at GGF16 to Robert Fogel (the GGF Vice-Chair for community) and Mark Linesch at SuperComputing and how it might mesh
with the desire for an open "Inter-grid Interoperability" meeting. They are very positive, so I suspect that a proposal from a committed
group of core organizers with a sketchy proposal would hold
the door
open for a week or so. The immediate needs is to understand the logistical and participant demands and overlaps (however travel plan
deadlines are fast approaching). They suggested that such a
workshop
would be best later in the week with the Inter-grid meeting early.
I am willing to help with a workshop, but have too many
balls in the
air just now to drive this forward (and can't afford to be
"promoted"
like David ;-)). I've added Von to the list since I vaguely
recall he
(or Jim Basney ?) indicated willingness to help as well.
Dane
On Nov 29, 2005, at 12:15 PM, Kelsey, DP (David) wrote:
Ake, Dane et al,
I agree that the idea to go for a community track workshop sounds good. I am afraid that I have had far too little time recently to push forward on the GGF16 plans, in spite of the fact that my name seems to have moved from my initial offer of "help" at GGF15 to "leading" :=)
Anyway... I have just looked at the GGF16 mechanisms for
requesting
sessions.
1. For general group-related sessions there is a web page... http://www.ggf.org/gf/session_request/
(Dane told us about this soon after GGF15)
2. For the community track, there is also a web form... http://www.ggf.org/ggf_events_communityInvolvmentProposal.htm
BUT, I have just noticed two frightening things....
A. The deadline is 30th November (TOMORROW) B. The form requires a 1000-3000 Synopsis, describing
goals, outline
etc etc
I am sorry to have to report that I just don't have time to tackle
writing such a proposal this week? Is anyone else able/willing to take this on?
Regards Dave
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
> -----Original Message----- > From: Åke Edlund [mailto:edlund@pdc.kth.se] > Sent: 29 November 2005 15:02 > To: Dane Skow; Kelsey, DP (David) > Cc: Cowles, Robert D.; Olle Mulmo; David Groep > Subject: Re: MWSG in Amsterdam > > > Added Dave to the thread. > Cheers, > Ake > > > On 05-11-29 15.59, "Åke Edlund" <edlund@pdc.kth.se> wrote: > > >> Hi Dane, >> >> Too bad to hear you can't join. Bob will, I hope? >> >> About the AuthZ/Intergrid workshop for Athens: >> >> From the slides at the MWSG: >> --- >> 1) Authz workshop at GGF16 >> ³Interop here and now², planning for the next ~2 years >> Dave & Von &
>> Åke >> >> 2) MWSG info session at GGF16 as well!?!?!? >> Outreach & dissemination (Ake)" >> --- >> I see Dave as lead for 1) and I see 2) as a short 0,5-1 hr >> presentation. >> >> Still, I got an idea from David Groep: to have a GGF >> > Community track > >> workshop" for a full afternoon (maybe by combining both >> > things 1) and > >> 2)). Inspired by the GGF15 AuthZ WS. >> >> Is this too late? Is it a good idea? How to book? >> >> Best, >> Ake >> > >
==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================