Hi Tom Tom Scavo wrote:
At a recent OGF AuthZ WG meeting (OGF19 or 20, I forget, but it's in the minutes), I mentioned the need for an X.509 Binding for SAML Assertions. We do this already in Globus CAS and GridShib, but it needs to be vetted and refined.
At OGF 20 we revisited this issue and agreed that we need one for SAML Attribute Assertions (but note, not for SAML Authz Decision Statements or Authn assertions, just for the attributes in order to be able to pull them).
I recently learned about a project in EU that is binding XACML to X.509, so perhaps we need a more general X.509 Binding for XML with separate profiles for SAML, XACML, and so forth.
Do you have the name of this project? Its not EGEE is it?
Once we have a standard X.509 Binding,
and the purpose of this would be to remove the use of SSL/TLS?? and to bind at the application layer rather than the transport layer? we can profile attribute-based
authz using both pushed and pulled SAML assertions. We've implemented a prototype along these lines and numerous issues have come up, which need vetting and further discussion.
When you say SAML assertions, this is too generic, since there are three types of assertions. Which ones do you mean?
And finally there is the wholly unexplored territory of proxied SAML assertions, which most people believe are necessary to bridge campuses and grids, but there's absolutely no agreement how this should be done.
You are correct. Proxying is another ball game. Which brings its own problems and conflicts (such as wanting authoritative assertions signed by their sources on the one hand, but going via a proxy and not knowing who the source is, on the other). What we need to do I believe is i) specify the protocols that are needed regardless of the bindings (so that the same XML constructs can be passed via a Java API, an SSL session, an X.509 binding or whatever). So far we have identified 3 of these, one for pulling attribute assertions, one for validating credentials and one for getting an authz decision. ii) specify a set of bindings that should be supported for the above. regards David
Tom Scavo NCSA
On 6/25/07, Blair Dillaway <blaird@microsoft.com> wrote:
I don't remember any serious discussion of chartering work in this area, either within the AuthZ WG or elsewhere. So I can only surmise people haven't felt this area is adequately mature. The sessions Von hosted on Grid-Shib technology at OGF's last year certainly indicated a diverse set of approaches were being explored.
Did you and Von discuss this in drafting the current charter? Do you believe things have evolved to the point where we could build critical mass around work in this area? (Of course, I'd love to hear from anyone who thinks the OGF should be doing work in this area.)
Regards, Blair
David Chadwick wrote:
Hi Blair
Interestingly there is one aspect of authz that has a significant amount of user interest and that is merging attributes from Shibboleth and Grids to be used together for authz decision making. But this is currently not within the scope of the OGF OGSA Authz group's work plan. So what does this indicate?
regards
David
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************