Hi Olle Your comments are valid but you have misinterpreted my email to Hiro. My replies are inline below Olle Mulmo wrote:
David,
As AD in charge but also as WG member (well, at least close observer and provider of feedback) I feel a bit out of touch. But there are also some more serious process issues here.
My take-home message from our last session in Athens was that we did not ratify the new charter (which includes the documents you mentioned below), but rather that we need to get the production grids in the loop to provide real-world minimum requirements for the next- generation of the specs, as that was regarded as a prerequisite.
This is correct. What we did not do at the meeting however, was place any actions on anyone in particular to get the production grids into the loop. So because of this, I am not sure who has taken this responsibility onto themselves at the GGF level. Personnally I dont have any contacts with international production grids, so I am not the best person to do it. In the UK, I have been trying to do this, in a new NoE that I have been working on (you got a copy of this I believe, I am still waiting for your comments :-).
Since then, I haven't seen any action on the ogsa-authz mailing list and I assumed that other, non-GGF related, chores had taken overhand (as it often does for periods of time). But surely, the production of two ā€¯nearly finished" documents ought to have generated at least some traffic
this is where you have misread my email. I said that I have nearly finished a couple of docs, but I did not say that the docs were the final versions to be ratified by the GGF, which is what you have assumed. In fact the docs are meant to be the FIRST DRAFTS to be discussd by the GGF. It is not possible to have meaningful discussions until some strawman drafts are on the table for discussion, and that is what we have been working on. ("FYI, I'm doing this, here's an early draft, tell me whether
I'm on the right track or not") and not appear as a surprise to all of us close to the finish line. Or perhaps I'm misinterpreting your email?
Yes unfortunately you are. What we are preparing the first drafts to go into the GGF process for discussion and revision.
In any case, this WG _still_ does not have an approved charter, and we need to fix that. Badly.
Ok, lets talk about this offline David
/Olle
On Apr 3, 2006, at 11:55, David Chadwick wrote:
Hi Hiro
I am actually at the NIST PKI workshop in Washington this week, and fly home on Thursday night. So I will be travelling from about lunchtime on Thursday (Eastern Time).
Here is an update for you. I have nearly finished a couple of docs to present to the next GGF OGSA meeting to replace the current OGSA- SAML profile. One is based on XACML and is a PDP-PEP interface. The other is based on WS-Trust/SAML and is a PIP(CVS)-PEP interface. The existing OGSA-SAML spec is an interface to a combinded PIP(CVS)/ PDP, but as we know it has severe limitations.
regards
David
Hiro Kishimoto wrote:
Hi Alan, David, Von and Mary, Is it possible to have one hour joint call between OGSA-AuthZ WG and OGSA-WG next Thursday, April 6? OGSA-WG will have a F2F meeting next week in San Francisco Bay Area and Frank Siebenlist will lead this security session on Thursday. https://forge.gridforum.org/projects/ogsa-wg/document/2006Apr-OGSA- F2F-agenda I would like to proceed with our previous discussion in January. Please have a look into attached meeting minutes from Jan 19 joint call. If David can make it, we can talk 1-2pm PDT (= 9-10pm UK = 5-6am JST) same as January. Please let me know your availability and agenda items you want to discuss. Thanks in advance, --------------------------------------------------------------------- --- OGSA January 2006 Interim Meeting ================================= Location: Sunnyvale, CA Date: 19/1/2006, afternoon * Attendees Hiro Kishimoto Dave Snelling Jem Treadwell Andreas Savva Fred Maciel Darren Pulsipher Chuck Spitx Fred Brisard Ravi Subramaniam Dave Berry Steve McGough Neil Chue Hong Takuya Mori Frank Siebenlist Jay Unger Bridge: Alan Sill David Chadwick Notes: Andreas Savva See also Security agenda ppt: https://forge.gridforum.org/projects/ogsa-wg/document/ogsa- security-session/en/1 * Security - OGSA AuthZ joint discussion - "Use of SAML" document finished public comment with no comments - Many people have looked at it. One minor change and expect it to be published, but not sure when. - OGSI Authorization Requirements: 1 comment - Attributes ? - Charter revision - Looked at revised charter - Hiro explained procedure for getting approval: circulate within WG and if happy with level of support send to ADs; otherwise do a BoF. - New charter output: 2 new versions - Authorization document - (The attributes document is not mentioned) - The milestones are not clear. - Everyone is doing their own solution in the authorization area; no attempt to reach consensus on a common approach. Perhaps this is the reason why some of the docs received no comments. It is a problem but there is no solution. - There is real difficulty with getting buy-in from major grid projects. Even if they say ok on the charter it does not mean they will contribute actively. - Takuya has contacted NAREGI. Alan also asked about PRAGMA. Takuya agreed to contact PRAGMA as well. - There is a Grid Interop at the next GGF16. Alan unfortunately canot make GGF16. - Hiro's issue: how to combine security protocols (authorization) with service invocation? - Cannot tell people how to do authorization. Also do not want to create refined schemas because the semantics attached to the schema by different organizations may be different. - So focus not on attribute description but on the information about what are the required attributes by the services. (Analogy with card tokens; tokens are different but using a token may be a common point.) - Attribute information is dependent on the issuer. The proposal is not to try to map attributes between schemas but just to facilitate the exchange of what schemas are supported and can be used for authentication. - If no attribute mapping is attempted then cross-site auditing or logging isn't possible. - It is out of scope of OGSA AuthZ * Security - Review of Basic Security Profile -- Secure Channel - Just doing secure channel (point to point) and looking towards end-to-end (MLS) eventually. Performance of MLS is an issue. (Also need a way to describe policy and name entities and ...) - Note that this is point-to-point and not host-to-host. - There is a bigger problem that needs solving (...) and this [profile] is the first step towards that goal (a bootstrap step). - This profile says nothing about what is an authenticated entity. It may be a next step. Action: To add an example of how the keyinfo exchange (core) is used with the secure channel profile Action: Since Secure Channel should be composed with a Core it should not expose the BasicSecurity claim. Only Core should do that. Update and aim for a final call by the end of the month * Security - Review of Basic Security Profile - Core - 1.2: This profile is not extending the WS-I Basic Profile - 1.2: Generalize the statement discussing the security profiles that can be combined with this profile. - Agreed that this profile will not expose an anonymous channel claim URI. An anonymous channel profile should be defined as a separate document. - The important point is that it can be done with the current document structure. It may be left to the people who want it to actually do it. - Need to expose the extensibility elements in referenced specs - Need to address (at some point) how information on what features are required or supported. * Future plans Discussed plans for security design team and prioritized work: - 1 Work on a Security architecture - 2 How to combine security functions (security context) with functional interfaces. - 3 MLS profile - 4 Issues raised by OGSA-Data wg and collaboration
--
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************