Hi All: Excellent notes Alan. My apologies for missing this discussion, but I had other obligations. I have several comments on the issues discussed (only excerpts included for brevity).
Andrew says that the exercise of writing a use-case document has proven itself even in circumstances in which the use cases are thought to be well- known.
I fully concur. Getting use-cases documented and socialized with the expected contributors/adopters is a critical step. It establishes scope, helps convey the value, and identifies the expected application of the standard.
Last week David sent out a document written from the point of view of Authorization meant to match some of the current "simple AuthN" work. ... Discussion followed as to whether AuthZ can be folded into the current security profile "express" documentation work being done, or instead whether another document to address "express authZ" should be written.
Adding such a document to the work could be reasonable. It does seem the 'express' work would benefit from writing down a defined scope for the current work to avoid incremental scope expansion.
Alan asks why Ws- Security is so SOAP-oriented, when grid implementations can be written based on the same WSDL and XML that could provide code using different RPC methods?
The question to ask here is whether grids should move toward relying on web services as the basis for interoperability? There is certainly a strong push in this direction, which I support. Web services are based on the use of SOAP messaging. WS-Security's official name is "Web Services Security: SOAP Message Security". Hence, the focus on SOAP messaging. If one wishes to use other protocols, such as RPC, there are other security standards which are appropriate.
Moving on to authentication topics Alan is ready now to restart work on the OGSA-AuthN topics.... Simultaneously, work should be continued to complete the "express profile" documentation series.
While there are certainly interesting AuthN topics to discuss which go beyond the identified 'express' work, I am very concerned about having two AuthN groups working in parallel. It has been difficult to achieve critical mass on OGF security standard's work and I fear we'll end-up with inadequate engagement on both efforts. I suggest we look seriously at combining these efforts. Is there a scope/sequencing of work which makes sense where the 'express' profiles are the first set of deliverables for a more broadly chartered group? I don't personally care if such a group is officially part of OGSA or the Security area. I raised this issue at OGF20, but haven't heard from anyone regarding their opinion on having one versus two efforts. On a separate thread, David Chadwick wrote:
Concerning the Autthz agenda item, there is no progress to report since oGF20. One thing we might like to consider is how do we engage the community more in contributing to this work, or do we just throw in our hats and say that no-one is really interested in pushing the authz work forward anymore and Alan wrote: For requirements gathering, David put up a wiki but got very few submissions. Stephen points out that people see a need for security but do not see the relevance of the work done here, and socialization of the work being done here is not sufficiently seen as connected to real-world needs.
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest. I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic. Major comments were along the lines of: - Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate - Standards in this area aren't a priority since most customers don't care about pluggability for these types of components. I have found it difficult to present a compelling counter to such arguments.
Hiro asked about the timing of the next joint call. David has Sep. 13 down as the next joint call. Hiro offered time at the Sunnyvale F2F Aug. 13-16.
FYI, I will not be able to attend the F2F. Regards, Blair Dillaway