Von Welch wrote:
Draft notes from today's OGSA-Authz WG meeting. Please send corrections or addition. In particular there were protocols referred to at a couple of points that need exact identification, which are marked with "XXX".
Von
----
* Preamble David brought meeting to order Circulated OGF IP sign-in sheet Von volunteers to scribe
* Telecon Update
Decision: Once every two months, we will take one of the OGSA-WG phone call slots to report to the larger community. Next date will be March 8th.
Decision: Telecon dates February 13th March 7th April 3rd April 23rd
* Functional Components Doc Latest version is Oct 24th version Outstanding issue: implications of carrying attributes and credentials within the same protocol or within different protocols [XXX pointer?]
"Functional Components of Grid Service Provider Authorisation Service Middleware" available from http://forge.gridforum.org/sf/go/doc13968?nav=1
Outstanding issue: Id vs URL issued raised by Tom Scavo [XXX pointer?] Doc should then be ready for WG final call and progression to AD
* Protocol Doc Updates Described 3 protocol 1) PEP-Context Handler: no profile proposed. Maybe the same as protocol #3 if credential equivalent to attributes.
if credentials can be carried in same field as attributes in the protocol.
2) Context Handler-CVS: WS-Trust profile, to be written
No its Available at http://forge.gridforum.org/sf/go/doc9011?nav=1
3) Context Handler-PDP: proposal XACML request/response protocol proposed [Question raised regarding exactly which protocol is being referred to here. Concerns from Nate that this has been deprecated. XXX pointer?]
the current profile, available from http://forge.gridforum.org/sf/go/doc13681?nav=1 in which the XACML request context is transported to the PDP in a SAML request message. Apparently this OASIS mechanism has been deprecated because it was (wrongly) thought that no-one was using it. We thus may need to reconsider this protocol and use a different wrapper to carry the XACML contexts.
* Takuyi Mori presentation on NAREGI Authz Service and NAREGI XACML profile Slides will be sent to the email list SAML 2.0 and XACML 2.0 based Uses GT authz framework Profile between Authz service client (in GT4) and Authz CVS Handles VOMS AC's and passes to Authz service Presented mapping of attributes from X.509 EEC/VOMS AC into XACML Resource Attribute Filtering Mechanism (RAFM) - Reference properties, XACML profile has Subject, Resource and Action attributes
There is an issue as to how a resource's attributes are obtained by the PEP. If the user submits them to the PEP there is a potential trust issue here, and the attributes will need to validated by the CVS. If the PEP obtains them itself from a local store this is not an issue.
* VOMS profile Discussed on Oct 16 telecon - minutes on list Meaning of the primary type must be explicit rather than implicit (as currently done via sequence) Awaiting response from VOMS group
* Attribute Retrieval Protocol Added as last meeting OASIS profile for SAML - Tom Scavo author
* Von Welch resignation as WG chair Those who are interesting in replacing Von should send email to David
* Other business Tom Scavo: Do we need mechanism to bind SAML to X.509 (equivalent to VOMS)? David: 2005 X.509 has specification for binding XML to X.509, but doesn't specify XML content Tom Scavo to investigate how these relate.
David: VOMS is providing a standard SAML protocol interface for picking up VOMS attributes. A beta is supposed to be ready by April 2007 regards David
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************