With regard to some of Blair's
comments:
[Primer]
>>> “OGSA security model addresses trust
management via the profiling of
>>> mechanisms defined in the WS-Trust
specification in order to realize trust
>>> relationships as rules and policies
for mapping identities and credentials
>>> among the involved organization
domains."
[Blair's comments]
> WS-Trust focuses on a protocol for
obtaining, exchanging, validating, …
> security tokens. Section 2 briefly
discusses trust policies and mentions
> some mechanism for establishing the base
trust policy. These are,
> however, non-normative and not required
by WS-Trust. It also doesn’t
> address issuance policy at a token service.
So its not really a sufficient
> basis for establishing “trust
relationships as rules and policies”.
WS-Trust doesn't establish relationships,
it helps realize established relationships. This sentence is basically saying that:
- WS-Trust establishes the notion of token
services
- Token services are useful for mapping identities
and credentials among security domains
- The mapping of identities and credentials is the
realization/incarnation of trust relationships
- Vague hinting that the model will incorporate
the profiling of WS-Trust to establish more normative
behavior
[Blair's comments
con't.]
> I find it surprising the subject of
delegation of access rights isn’t even mentioned.
Aren't we just assuming everyone will use SecPAL
assertions?
Honestly, one might argue that delegation of
access rights should be treated in the same vein as security token types; claims
of delegation criteria will probably have to be federated in a similar vein as
tokens themselves. Thus delegation is tossed in with security policy &
credential mechanism: all to be the responisibility of the service providers and
profiled in the common-cases by the OGSA security architecture.
-Duane
----- Original Message -----
Sent: Friday, October 05, 2007 7:29 PM
Subject: Re: [ogsa-wg] OGSA Primer Newest Latest
draft - v5
> Hi all,
>
> I have reviewed the latest draft and posted
my comments into the tracker. I assigned the item to Andreas assuming he'd
know who'd be interested in comments on the different sections.
>
>
Regards,
> Blair
>
>> -----Original
Message-----
>> From: ogsa-wg-bounces@ogf.org
[mailto:ogsa-wg-bounces@ogf.org] On
>> Behalf Of Andreas
Savva
>> Sent: Wednesday, October 03, 2007 6:39 PM
>> To: Hiro
Kishimoto; Alan Sill
>> Cc: ogsa-wg@ogf.org
>> Subject:
Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
>>
>> After
the last Primer review I created an issue tracker. Please post
>>
issues relating to this document to
>> https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa-
>> wg/tracker.ogsa_primer
>>
>>
Also the latest version of the document may be retrieved from
>>
https://forge.gridforum.org/sf/go/doc14408?nav=1
>>
>> Thanks Duane for
uploading.
>>
>> Andreas
>>
>> Hiro
Kishimoto wrote:
>> > Thanks Alan,
>> >
>> >
Please provide your feedback to Duane and Andrew.
>> > We will
review revised document on Oct. 19 (Fri) at
>> > OGSA-WG F2F meeting
in OGF21 Hotel. Please join us in
>> > person or
dial-in.
>> >
>> > http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
>> >
>> > Thanks,
>> >
----
>> > Hiro Kishimoto
>> >
>> > --------
Original Message --------
>> > Subject: Re:[ogsa-wg] OGSA
Primer Newest Latest draft - v5
>> > From: Alan Sill <Alan.Sill@ttu.edu>
>> >
To: Duane Merrill <dgm4d@virginia.edu>
>> > Cc: ogsa-wg@ogf.org
>>
> Date: 2007/10/03 23:05
>> >
>> >> I am traveling
today and tomorrow and will miss this discussion. I
>> >>
do intend to contribute something in this area soon.
>>
>>
>> >> I think the direction that has been started with
the Express
>> Profile,
>> >> including work to allow
SSL/TLS and possibly Kerberos
>> communications,
>> >>
as examples, and to allow services to "express" the AuthN methods
>>
>> that they respect, and can use, is potentially very important,
and
>> >> with some work, might find real-world use case
possibilities in the
>> >> not too distant future. (I
realize that this was not the sense of
>> >> "express" meant
here, but could not resist the pun.) There are some
>> >>
projects of which I am aware that could use exactly this feature in
>>
>> the near future. SO just wanted to encourage work to continue
in
>> >> this area.
>> >>
>> >>
Alan
>> >>
>> >> On Oct 1, 2007, at 3:04 PM, Duane
Merrill wrote:
>> >>
>> >>> Everyone, I have
updated the primer document to include a draft of
>> >>>
Section 3.5: Security. I realize that it is always tenuous to
>>
>>> submit a large section to a document hours before it is up
for
>> >>> review, and I apologize. If anyone has the
time to inspect the new
>> >>> section, feedback and
suggestions this evening would be fantastic.
>> >>> I've
uploaded it to Gridforge as v.5 and attached it to this mail
>>
>>> as well.
>> >>>
>> >>>
Duane
>> >>>> ----- Original Message -----
>>
>>>> From: Andrew Grimshaw
>> >>>> To:
ogsa-wg@ogf.org
>>
>>>> Sent: Thursday, September 20, 2007 12:34 PM
>>
>>>> Subject: [ogsa-wg] Latest draft - v4
>>
>>>>
>> >>>> All,
>>
>>>>
>> >>>> Attached is the latest draft of
the primer. Most of the pieces are
>> >>>> now in place. We
still need sections 3.4-3.7, and of course
>> >>>> reviews
by people. The section on the data center use case is
>>
>>>> waiting for whoever wanted it in there to write it.
>>
>>>>
>> >>>>
>>
>>>>
>> >>>> The adoption section I'd like to
talk about in a conference call
>> >>>> to make sure it is
a) correct, and b) saying what we want it to
>> say.
>>
>>>>
>> >>>>
>>
>>>>
>> >>>> Summary will wait till the
end.
>> >>>>
>> >>>>
>>
>>>>
>> >>>> A
>>
>>>>
>> >>> <OGSA Primer
-v5.doc>
>>
>>
>> --
>> Andreas
Savva
>> Fujitsu Laboratories Ltd
>>
>>
--
>> ogsa-wg mailing list
>>
ogsa-wg@ogf.org
>> http://www.ogf.org/mailman/listinfo/ogsa-wg
> --
> ogsa-wg mailing list
>
ogsa-wg@ogf.org
>
http://www.ogf.org/mailman/listinfo/ogsa-wg
>