Hi Donal Donal K. Fellows wrote:
Blair Dillaway wrote:
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest.
I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic.
That's worrying, but not surprising. While I'm in a project with some very good security people, they're not interested in doing standards work *at all* at the moment. :-\
This is one of the problems. I believe that your project is more representative of the vast majority of projects, rather than my projects which always try to contribute towards the standardisation effort.
- Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate
It would be nice if we could operate as profiles on those other specs.
but this is PRECISELY what we are doing in the OGSA Authz group. We are specifying profiles of XACML, SAML and WS-Trust. It is only by implementing common profiles that we can gain interoperability.
If we can't (and the only way we can tell is by thorough analysis of our use-cases, which are certainly fairly sophisticated when we start to think about multi-partner collaborations) then it is incumbent upon us to feed back this information to the OASIS guys.
If you dont want the OGF to produce profiles for grids, then we should indeed shut down the OGSA Authz group and join OASIS to specify our profiles there. Is this what you are suggesting?
- Standards in this area aren't a priority since most customers don't care about pluggability for these types of components.
My impression (as someone only intermittently involved) has been that it is horrendously difficult even to do the basic stages of interoperable AuthN, so the higher-level aspects (such as *all* of AuthZ!) have been largely ignored.
This is not my experience. We successfully specified the OGSA SAML Authz profile (GFD.66), implemented it in PERMIS, GT3 and 4, Primea (and more) and successfully performed interworking tests. It was not a painful experience at all. On the contrary it was very informative. This suggests to me that a valuable way forward would
be to put effort into trying to make these basic things work, which is very much the focus of the OGSA Express work. Maybe the advanced things are more academically interesting, but without the interoperable basic parts, it's suspiciously like a castle in the air.
Actually it is possible to do the two in parallel (Authn and Authz) since they are to some extent orthogonal. In fact you can use proprietary Authn procedures with standard Authz profiles quite successfully. So it is not a fixed sequential process. regards David (There are many
parallels with other parts of OGSA, such as in execution management where the really interesting things are in areas like reservations, but much needed to be worked on first so that the foundations could be built on which the fun stuff rests.)
Donal. -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************