OGF24: Bustling with Security Activities In a mere few weeks OGF24 will be held in Singapore. A compact meeting, it is packed with quite a few interesting security and related sessions. If you did not plan to come, maybe these still entice you to travel to Singapore: A jointly coordinated session with GIN will focus on how to restrict delegation. In the GIN grid deployments restricting what somebody (or a process can do) is gaining prominence, and how to design such restrictions when delegating credentials (both when using proxies and in a SAML context) is something the GIN group wants to know. One hand this of course includes the syntax and technical mechanisms, and based on current standards and developments this might be addressed in the short term. But how to interpret such restrictions in a common way? If a policy is defined to restrict access to a service or service method, will the implementations of such a service react in a similar way? This session should lead the way for a new working (or research?) group to address these topics. Also at OGF24, the OGSA-AuthZ WG will be discussing the feedback received on the "Functional Components of Grid Service Provider Authorisation Service Middleware" document, which has completed its public comment on August 28th, and the "Use of XACML Request Context to Obtain an Authorisation Decision" (completed PC on Aug 13), and review the ongoing comments of the remaining proposed recommendations: - Use of SAML to retrieve Authorization Credentials - WS-TRUST and SAML to Access a Credential Validation Service This suite of four documents provides a complete view on the internals of authorization, and your contributions are welcome to ensure that the documents reflect your needs. As a follow-up to the Firewall Issues RG, a new working group "Firewall Virtualization for Grid Applications" has been started to standardize a set of service definitions for a virtualized control interface into firewalls and other mid-boxes allowing the grid applications to securely and dynamically request application/workflow-specific services from those devices, for the duration of the service. The CA Operations WG, jointly with the IGTF, organises a full-day workshop focussing on a wide range of authentication and identity management issues. On the technical side these include the definition of signing namespace constraints by relying parties, guidelines for auditing CAs, authentication service profiles, and the profile defining trust in higher-level CAs. More on the policy side, issues such as risk assessment and incident response in the IGTF community, and the management of revocation will be discussed. The Levels of Authentication Assurance (LoA) RG merged with CAOPS in OGF23, with the document "A Gap Analysis of Current LoA Definitions vs. LoA Requirements in e-Science/Grid Context" available for discussion. For the operational security side: have a look at the BoF on Intrusion detection in Grid Computing for security issues in grid computing networks and proposed the possible solutions using Intrusion detection/prevention systems. Lastly, you have probably realised that the vacant spot left by Blair Dillaway as security AD (whose term ended in March) has still not been filled. To remedy this very unfortunate situation, please think hard about who you consider to be a suitable candidate (and that may be yourself!), and contact the OGF NOMCOM or the chair Neil Chue Hong directly. See http://www.ogf.org/nomcom/ for details about the NOMCOM process and for an application form. A healthy security area and the security activities in OGF merit a full complement of security ADs to ensure continuity past 2009! I hope to see many of you in Singapore. Best Regards, David Groep. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **