Hi Richard, Thanks for your input. Since you are speaking as a potential adopter of security technology, I find your desire for implementations you can evaluate to be important. It is at least one data point indicating the community doesn't have adequate experience in applying these technologies to be confident we know what to standardize. If true, OGF can still play an important role in providing a forum for discussing technical approaches and implementation experiences. An RG is the most appropriate type of group to drive this. Couple of other comments below. Richard Sinnott wrote:
Case in point on the recent thread between David and Tom on how to use SAML AuthZ statements vs XACML contexts etc. How many folk in OGF-land are able to decide on the advantages/disadvantages of these things?
Based on past OGF security sessions, there are a fairly substantial number of people involved in OGF who have expertise in these areas. They are the ones who need to engage if an activity (RG or WG) is to be formed. Based on the differences of opinion David and Tom have expressed in the recent messages, I think we need to be seriously asking if a WG or RG would be the most appropriate way to engage on this topic.
but it is only when these things have been implemented by the likes of the Globus and PERMIS teams for example,
As Tom noted, Globus CAS and GridShib have already implemented an approach to binding SAML assertions with X.509 that needs to be "vetted and refined". Getting NeSC, and others, to look at this work and provide feedback would certainly be valuable to the security community.
I am not sure how mature the Shibboleth/authZ has to be to be in order to be explored within OGF.
There is no specific requirement here, especially for research oriented activities. The question is do we have the experience and consensus to be producing a standard that will support interoperable implementations. Standards development is the focus of OGF WGs. Regards, Blair Dillaway