Notes from Joint OGSA WG AuthN/AuthZ call
OGSA AuthN/AuthZ joint call Chris David Mark Morgan Andrew Grimshaw FrankSiebenlist Jack Hiro Kishimoto Alan Sill Andreas Savva Stephen Agenda items: OGSA-AuthZ update (David Chadwick) OGSA-AuthN update (Alan Sill) David summarized the current state of the OGSA-AuthZ work. No progress or changes have taken place since OGF-20 on the document set from the AuthZ work groupl Jargon for below: PDP = policy decision point PEP = policy enforcement point PIP = policy information point GFD-66 and 67 (65?) status GFD-66 was intended to describe the relation between PDPs and PEPs Previous version of GFD-66 based on SAML 1.1 was implemented by several groups and found to be insufficient. An architecture document was written by David and others to propose 3 protocols: one for pull of credentials from an IdP or AA according to any of several protocols profiled by OASIS and others, an XACML protocol, and a credential validation service profile defined according to WS-trust. Alan requested that David get a document number for this architecture document and David agreed to move this along the path to formalization. It would be good to publish this as an informational document, with the 3 protocols pulled into separate documents. Frank said that progress at Argonne on this has been slowed by work being done for GT4.2 - all security programmers have been pulled onto that work and have not had sufficient time available for standards work. GFD-66 had value but does not extend to sufficiently realistic complex real-world use case requirements, for example validating signed credentials, interactions with PIPs, etc. For requirements gathering, David put up a wiki but got very few submissions. Stephen points out that people see a need for security but do not see the relevance of the work done here, and socialization of the work being done here is not sufficiently seen as connected to real-world needs. Alan agreed that this is an important component of the work and is exactly what Duane, mark and Andrew have been trying to do in the requirements-gathering work they have been doing for the short-term AuthN documentation work they have been done. Frank did not understand the disconnect, as the XACML work for example has been driven by strong communication between developers and community segments that have requested this work. Andrew says that the exercise of writing a use-case document has proven itself even in circumstances in which the use cases are thought to be well- known. Stephen and Alan felt this to be true even though writing such documents can be a chore. People are often stuck on simple cases when the community doing work on standards is often focused on more advanced use cases. Andrew pointed out that documenting even the simple use cases is of value and must be written down to get rid of this barrier for users; some of the work being done for the HPC profile was driven by this need. Last week David sent out a document written from the point of view of Authorization meant to match some of the current "simple AuthN" work. Mark more or less simultaneously requested such a document. Discussion followed as to whether AuthZ can be folded into the current security profile "express" documentation work being done, or instead whether another document to address "express authZ" should be written. Andrew prefers simple short documents over grand scheme documents at this stage. Another document in this series entitled "OGSA Security Profile 2.0 - Authorization" would be helpful. David agreed to look at this and will go through the current set from this perspective. Moving on to authentication topics Alan is ready now to restart work on the OGSA-AuthN topics. Motivations here include examining the technical requirements of implementations and ensuring that the documentation and standards set offered by OGSA is sufficiently flexible and well-specified to allow interoperable implementations based on different technologies. As an example, Alan asks why Ws- Security is so SOAP-oriented, when grid implementations can be written based on the same WSDL and XML that could provide code using different RPC methods? Other motivations include ensuring that Shibboleth grid integration can be done on a well-defined standards basis within OGSA, and while this is largely an AuthZ question, we need to make sure that the OGSA-AuthN pieces and basis for this work are sufficiently documented, understood and specified. A documentation call series will be started sometime in July to get this work going. Simultaneously, work should be continued to complete the "express profile" documentation series. Hiro asked about the timing of the next joint call. David has Sep. 13 down as the next joint call. Hiro offered time at the Sunnyvale F2F Aug. 13-16. Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
Thanks Alan this is a very good set of minutes David Alan Sill wrote:
OGSA AuthN/AuthZ joint call
Chris David Mark Morgan Andrew Grimshaw FrankSiebenlist Jack Hiro Kishimoto Alan Sill Andreas Savva Stephen
Agenda items:
OGSA-AuthZ update (David Chadwick) OGSA-AuthN update (Alan Sill)
David summarized the current state of the OGSA-AuthZ work. No progress or changes have taken place since OGF-20 on the document set from the AuthZ work groupl
Jargon for below: PDP = policy decision point PEP = policy enforcement point PIP = policy information point
GFD-66 and 67 (65?) status GFD-66 was intended to describe the relation between PDPs and PEPs Previous version of GFD-66 based on SAML 1.1 was implemented by several groups and found to be insufficient.
An architecture document was written by David and others to propose 3 protocols: one for pull of credentials from an IdP or AA according to any of several protocols profiled by OASIS and others, an XACML protocol, and a credential validation service profile defined according to WS-trust. Alan requested that David get a document number for this architecture document and David agreed to move this along the path to formalization. It would be good to publish this as an informational document, with the 3 protocols pulled into separate documents.
Frank said that progress at Argonne on this has been slowed by work being done for GT4.2 - all security programmers have been pulled onto that work and have not had sufficient time available for standards work.
GFD-66 had value but does not extend to sufficiently realistic complex real-world use case requirements, for example validating signed credentials, interactions with PIPs, etc.
For requirements gathering, David put up a wiki but got very few submissions. Stephen points out that people see a need for security but do not see the relevance of the work done here, and socialization of the work being done here is not sufficiently seen as connected to real-world needs. Alan agreed that this is an important component of the work and is exactly what Duane, mark and Andrew have been trying to do in the requirements-gathering work they have been doing for the short-term AuthN documentation work they have been done.
Frank did not understand the disconnect, as the XACML work for example has been driven by strong communication between developers and community segments that have requested this work. Andrew says that the exercise of writing a use-case document has proven itself even in circumstances in which the use cases are thought to be well- known. Stephen and Alan felt this to be true even though writing such documents can be a chore.
People are often stuck on simple cases when the community doing work on standards is often focused on more advanced use cases. Andrew pointed out that documenting even the simple use cases is of value and must be written down to get rid of this barrier for users; some of the work being done for the HPC profile was driven by this need.
Last week David sent out a document written from the point of view of Authorization meant to match some of the current "simple AuthN" work. Mark more or less simultaneously requested such a document. Discussion followed as to whether AuthZ can be folded into the current security profile "express" documentation work being done, or instead whether another document to address "express authZ" should be written. Andrew prefers simple short documents over grand scheme documents at this stage. Another document in this series entitled "OGSA Security Profile 2.0 - Authorization" would be helpful. David agreed to look at this and will go through the current set from this perspective.
Moving on to authentication topics Alan is ready now to restart work on the OGSA-AuthN topics. Motivations here include examining the technical requirements of implementations and ensuring that the documentation and standards set offered by OGSA is sufficiently flexible and well-specified to allow interoperable implementations based on different technologies. As an example, Alan asks why Ws- Security is so SOAP-oriented, when grid implementations can be written based on the same WSDL and XML that could provide code using different RPC methods? Other motivations include ensuring that Shibboleth grid integration can be done on a well-defined standards basis within OGSA, and while this is largely an AuthZ question, we need to make sure that the OGSA-AuthN pieces and basis for this work are sufficiently documented, understood and specified. A documentation call series will be started sometime in July to get this work going.
Simultaneously, work should be continued to complete the "express profile" documentation series.
Hiro asked about the timing of the next joint call. David has Sep. 13 down as the next joint call. Hiro offered time at the Sunnyvale F2F Aug. 13-16.
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU
==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
Hi All: Excellent notes Alan. My apologies for missing this discussion, but I had other obligations. I have several comments on the issues discussed (only excerpts included for brevity).
Andrew says that the exercise of writing a use-case document has proven itself even in circumstances in which the use cases are thought to be well- known.
I fully concur. Getting use-cases documented and socialized with the expected contributors/adopters is a critical step. It establishes scope, helps convey the value, and identifies the expected application of the standard.
Last week David sent out a document written from the point of view of Authorization meant to match some of the current "simple AuthN" work. ... Discussion followed as to whether AuthZ can be folded into the current security profile "express" documentation work being done, or instead whether another document to address "express authZ" should be written.
Adding such a document to the work could be reasonable. It does seem the 'express' work would benefit from writing down a defined scope for the current work to avoid incremental scope expansion.
Alan asks why Ws- Security is so SOAP-oriented, when grid implementations can be written based on the same WSDL and XML that could provide code using different RPC methods?
The question to ask here is whether grids should move toward relying on web services as the basis for interoperability? There is certainly a strong push in this direction, which I support. Web services are based on the use of SOAP messaging. WS-Security's official name is "Web Services Security: SOAP Message Security". Hence, the focus on SOAP messaging. If one wishes to use other protocols, such as RPC, there are other security standards which are appropriate.
Moving on to authentication topics Alan is ready now to restart work on the OGSA-AuthN topics.... Simultaneously, work should be continued to complete the "express profile" documentation series.
While there are certainly interesting AuthN topics to discuss which go beyond the identified 'express' work, I am very concerned about having two AuthN groups working in parallel. It has been difficult to achieve critical mass on OGF security standard's work and I fear we'll end-up with inadequate engagement on both efforts. I suggest we look seriously at combining these efforts. Is there a scope/sequencing of work which makes sense where the 'express' profiles are the first set of deliverables for a more broadly chartered group? I don't personally care if such a group is officially part of OGSA or the Security area. I raised this issue at OGF20, but haven't heard from anyone regarding their opinion on having one versus two efforts. On a separate thread, David Chadwick wrote:
Concerning the Autthz agenda item, there is no progress to report since oGF20. One thing we might like to consider is how do we engage the community more in contributing to this work, or do we just throw in our hats and say that no-one is really interested in pushing the authz work forward anymore and Alan wrote: For requirements gathering, David put up a wiki but got very few submissions. Stephen points out that people see a need for security but do not see the relevance of the work done here, and socialization of the work being done here is not sufficiently seen as connected to real-world needs.
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest. I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic. Major comments were along the lines of: - Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate - Standards in this area aren't a priority since most customers don't care about pluggability for these types of components. I have found it difficult to present a compelling counter to such arguments.
Hiro asked about the timing of the next joint call. David has Sep. 13 down as the next joint call. Hiro offered time at the Sunnyvale F2F Aug. 13-16.
FYI, I will not be able to attend the F2F. Regards, Blair Dillaway
Blair Dillaway wrote:
...
On a separate thread, David Chadwick wrote:
Concerning the Autthz agenda item, there is no progress to report since oGF20. One thing we might like to consider is how do we engage the community more in contributing to this work, or do we just throw in our hats and say that no-one is really interested in pushing the authz work forward anymore and Alan wrote: For requirements gathering, David put up a wiki but got very few submissions. Stephen points out that people see a need for security but do not see the relevance of the work done here, and socialization of the work being done here is not sufficiently seen as connected to real-world needs.
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest.
I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic. Major comments were along the lines of: - Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate - Standards in this area aren't a priority since most customers don't care about pluggability for these types of components. I have found it difficult to present a compelling counter to such arguments.
Excellent points. If the security area director cannot find any relevant interest within the grid community for the authz work after such thorough review, we should definitely pull the plug. Regards, Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
Frank Siebenlist wrote:
Blair Dillaway wrote:
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest.
I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic. Major comments were along the lines of: - Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate - Standards in this area aren't a priority since most customers don't care about pluggability for these types of components. I have found it difficult to present a compelling counter to such arguments.
Excellent points.
If the security area director cannot find any relevant interest within the grid community for the authz work after such thorough review, we should definitely pull the plug.
A 'thorough review' isn't how I'd characterize this. My comments were based on conversations with several professionals who work on related security products but are not active in the OGF. Their views represent important data points, though may not be universal. I encourage all interested parties to share their views on this. Thanks, Blair Dillaway
On Jun 21, 2007, at 1:40 PM, Blair Dillaway wrote:
Excellent notes Alan.
On Jun 21, 2007, at 11:21 AM, David Chadwick wrote:
this is a very good set of minutes
Thanks. It was a broad-ranging discussion so credit goes to Andrew, David, Frank, Mark, Stephen and Hiro for pulling it together and contributing to it.
The question to ask here is whether grids should move toward relying on web services as the basis for interoperability? There is certainly a strong push in this direction, which I support. Web services are based on the use of SOAP messaging. WS-Security's official name is "Web Services Security: SOAP Message Security". Hence, the focus on SOAP messaging. If one wishes to use other protocols, such as RPC, there are other security standards which are appropriate.
I understand and agree completely, and my own grid effort (TIGRE) is based on web services-based implementations of grid services only. I simply point out that it it technically possible to take the same WSDL and XML and (in some cases automatically) generate code that can implement the same grid services through other mechanisms. Stating the standards basis for security more generally than SOAP might allow other implementations of grid services that do not rely on SOAP messaging but are otherwise perfectly usable by a give community, that's all. I admit that there is not at present a large community clamoring for such a generalization, although it is technically achievable. I also completely agree on the push to web services for grid service delivery. There are plenty of technical issues to settle even within the scope of current implementations.
While there are certainly interesting AuthN topics to discuss which go beyond the identified 'express' work, I am very concerned about having two AuthN groups working in parallel. It has been difficult to achieve critical mass on OGF security standard's work and I fear we'll end-up with inadequate engagement on both efforts. I suggest we look seriously at combining these efforts. Is there a scope/sequencing of work which makes sense where the 'express' profiles are the first set of deliverables for a more broadly chartered group? I don't personally care if such a group is officially part of OGSA or the Security area.
I raised this issue at OGF20, but haven't heard from anyone regarding their opinion on having one versus two efforts.
The efforts are already essentially combined. We pulled back on pushing the OGSA-AuthN work forward in order to be able to complete work on the current document series. My sense is that this work is now reaching a mature state and that the charter work can go forward on defining the AuthN body of work. The HPC-profile work done and now going on can be regarded as the first set of output from this combined effort. Re. AuthZ, my suggestion (as a member and not a leader of that group) would be to button up the current set of documents as mentioned, which essentaially summarize the current situation for posterity and point to the other OASIS, XACML and WS-Trust work, put out that set of documents (which have been circulated and lack only formalized status for reference by the community), and ask David to look at the express profile work as we asked in the meeting. There is important AuthZ work to do in the future, but it is not clear to me that this needs more of an OGSA basis than the work above, and my preference would be to go on to the OGSA work for standards as to what needs to go out over the wire to support AuthN. Much of the remaining work on AuthZ can be handled by the individual AuthZ communities. Alan Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
Alan, Comments and questions in-line. Alan Sill wrote:
The question to ask here is whether grids should move toward relying on web services as the basis for interoperability? There is certainly a strong push in this direction, which I support. Web services are based on the use of SOAP messaging. WS-Security's official name is "Web Services Security: SOAP Message Security". Hence, the focus on SOAP messaging. If one wishes to use other protocols, such as RPC, there are other security standards which are appropriate.
I understand and agree completely, and my own grid effort (TIGRE) is based on web services-based implementations of grid services only.
I simply point out that it it technically possible to take the same WSDL and XML and (in some cases automatically) generate code that can implement the same grid services through other mechanisms.
I doubt you will find any broad interest in developing standards for this. It is certainly not a commonly used approach that people have a lot of experience with. I fear going down this path will derail the proposed AuthN work.
While there are certainly interesting AuthN topics to discuss which go beyond the identified 'express' work, I am very concerned about having two AuthN groups working in parallel.
The efforts are already essentially combined. We pulled back on pushing the OGSA-AuthN work forward in order to be able to complete work on the current document series. My sense is that this work is now reaching a mature state and that the charter work can go forward on defining the AuthN body of work. The HPC-profile work done and now going on can be regarded as the first set of output from this combined effort.
I'm confused by your statement that they are "essentially combined". Perhaps you and Andrew can clarify? The scope and technical approach for the 'express' profile work is still being discussed, so it doesn't seem to be in a mature state. The plan seems to be to continue the 'express' work in parallel with a separate OGSA AuthN charter discussion. I'm still concerned potential AuthN contributors will have trouble engaging with two independent efforts, to the detriment of both. The HPCP work can certainly be seen as a precursor, but is an independent effort which is not an OGSA specification. Regards, Blair Dillaway
participants (4)
-
Alan Sill -
Blair Dillaway -
David Chadwick -
Frank Siebenlist