Hi Chris and Bill, Thank you very much for your notes. Based on the discussion we've had July 2 call, Andrew is now collecting *real* Kerberos use case. We would very much appreciate if you could give us ones. Draft minutes from July 2nd.
- A question for the group: Would it be a good idea to also profile a Kerberos message-level binding assertion policy within the OGSA-SPSecureSoapMessaging profile? The document currently profiles X.509 and Username Token binding policies, primarily because of their widespread use / ease-of-adoption. Thoughts? o Technically reasonable – potential warning of complications when trying to merge capabilities (scope creep). However suggest that if your service requires Kerberos, then the profile would state how a Kerberos message would be handled. o Consensus: After a SAML discussion, agreed to leave SAML out of express AuthN for now
- Use-case discussion o Use-Case discussions regarding interactions between different Grid systems, having gone through X.509 adoption….might have been happy to just use Kerberos. Depends on domain, as cross-domains can be difficult, in which case X.509 might be better – would like to hear from Enterprise Grids. Which portions of system? Integration is important (flexibility). - Andrew proposes: Proceed along current course while reaching out to communities to determine Kerberos usage and need for inclusion or separate document. o Consensus: Sounds reasonable. (6:33pm).
https://forge.gridforum.org/sf/go/doc14654 Thanks again, ---- Hiro Kishimoto -------- Original Message -------- Subject: Re:[ogsa-wg] Updated Express AuthN Profile docs From: <bill@computer.org> To: 'ogsa-wg' <ogsa-wg@ogf.org> Date: 2007/07/04 2:00
Hi,
I agree -- the real use case for us involves forwarding tokens too.
Best regards,
- bill
-----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Christopher Smith Sent: Tuesday, July 03, 2007 8:58 AM To: Blair Dillaway; Duane Merrill; ogsa-wg Subject: Re: [ogsa-wg] Updated Express AuthN Profile docs
I, for one, am interested in a profile like this. The Kerberos Token Profile seems fine for the authentication step, but one of our main use cases is the forwarding of Kerberos tokens for subsequent use in the environment of jobs and the like, and I don't think the Kerberos Token Profile covers this at all.
-- Chris
On 02/7/07 14:51, "Blair Dillaway" <blaird@microsoft.com> wrote:
Duane Merrill wrote:
A question for the group: Would it be a good idea to also profile a Kerberos message-level binding assertion policy within the It might be a good idea and provide value to the community. Before we decide, I think we need to get a better sense of how important a new Kerberos interoperability profile is from the people who deploy and/or provide solutions for organizational grids where Kerberos is already present. If you're in one of these categories, your input would be appreciated.
Are there specific grid scenarios where supporting a Kerberos message authentication option is critical? Do you feel the existing OASIS "Web Services Security Kerberos Token Profile v1.1" specification an adequate basis for grid web services interoperability?
Regards, Blair Dillaway
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg