Hi all, Sorry for not forwarding on sooner. This is the AuthZ model that GENI is using. It might be interesting to see if this is applicable to any folks here. - Chin ---------- Forwarded message ---------- From: Stephen Schwab <schwab@isi.edu> Date: Mon, May 5, 2014 at 5:24 PM Subject: Re: NSI and ABAC To: Chin Guok <chin@es.net>, faber@isi.edu Cc: Tom Lehman <tlehman@umd.edu>, Tomohiro Kudoh <t.kudoh@aist.go.jp>, Guy Roberts <Guy.Roberts@dante.net>, John MacAuley <macauley@es.net> Chin, others — Let me also introduce Ted Faber <faber@isi.edu>, who has lead much of the implementation and integration work using ABAC within the DETER and GENI-sponsored “TIED” project. http://abac.deterlab.net is our wiki. From there, you can find links to some introductory material under the GENI TIED project page, as well as pointers to the latest software release. There are many slides and papers on ABAC, going back to the work of Li, Mitchell and Will Winsborough. Basically, Will Winsborough was working in my lab at McAfee Research (later sold to SPARTA), when he collaborated with Li and Mitchell at Stanford on a DARPA project that defined and implemented the formal authorization semantics in the first ABAC prototype. The TIED project later re-wrote that prototype into a stand-alone library with bindings in C, Java, Python and Perl. Jeff Chase at Duke, another collaborator on this thrust of work, wrote up a nice summary note that might be an excellent starting point. We can bury you in paper all too easily, and I don’t want to do that. ABAC is a really simple idea, translated into working software, that can be a great starting point for many distributed authorization systems. We’d like to pursue its use across several of the emerging nationally funded research network infrastructures. —Steve -- Chin Guok NOC: (510) 486-7600 Network Engineer (800) 333-7638 ESnet Network Engineering Group (AS293) Lawrence Berkeley National Laboratory