All, Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it. The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say. Summary will wait till the end. A
Everyone, I have updated the primer document to include a draft of /Section 3.5: Security/. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well. Duane
----- Original Message ----- *From:* Andrew Grimshaw <mailto:grimshaw@virginia.edu> *To:* ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> *Sent:* Thursday, September 20, 2007 12:34 PM *Subject:* [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
------------------------------------------------------------------------ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon. I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area. Alan On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I’d like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc> -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
Thanks Alan, Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in. http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com Thanks, ---- Hiro Kishimoto -------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu> To: Duane Merrill <dgm4d@virginia.edu> Cc: ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I’d like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc> -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU
==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa-wg/tra... Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1 Thanks Duane for uploading. Andreas Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu> To: Duane Merrill <dgm4d@virginia.edu> Cc: ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I’d like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
Hi all, I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections. Regards, Blair
-----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu> To: Duane Merrill <dgm4d@virginia.edu> Cc: ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
With regard to some of Blair's comments: [Primer]
"OGSA security model addresses trust management via the profiling of mechanisms defined in the WS-Trust specification in order to realize trust relationships as rules and policies for mapping identities and credentials among the involved organization domains."
[Blair's comments]
WS-Trust focuses on a protocol for obtaining, exchanging, validating, . security tokens. Section 2 briefly discusses trust policies and mentions some mechanism for establishing the base trust policy. These are, however, non-normative and not required by WS-Trust. It also doesn't address issuance policy at a token service. So its not really a sufficient basis for establishing "trust relationships as rules and policies".
WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that: a.. WS-Trust establishes the notion of token services b.. Token services are useful for mapping identities and credentials among security domains c.. The mapping of identities and credentials is the realization/incarnation of trust relationships d.. Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.]
I find it surprising the subject of delegation of access rights isn't even mentioned.
Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" <blaird@microsoft.com> To: <ogsa-wg@ogf.org> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Hi all,
I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections.
Regards, Blair
-----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu> To: Duane Merrill <dgm4d@virginia.edu> Cc: ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
"OGSA Security" has the challenge of asserting and showing relevance to the broader community; just assuming relevance is a mistake in my opinion. One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security". To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance. -- Marty From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 3:49 AM To: Blair Dillaway; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 With regard to some of Blair's comments: [Primer]
"OGSA security model addresses trust management via the profiling of
mechanisms defined in the WS-Trust specification in order to realize trust
relationships as rules and policies for mapping identities and credentials
among the involved organization domains."
[Blair's comments]
WS-Trust focuses on a protocol for obtaining, exchanging, validating, .
security tokens. Section 2 briefly discusses trust policies and mentions
some mechanism for establishing the base trust policy. These are,
however, non-normative and not required by WS-Trust. It also doesn't
address issuance policy at a token service. So its not really a sufficient
basis for establishing "trust relationships as rules and policies".
WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that: * WS-Trust establishes the notion of token services * Token services are useful for mapping identities and credentials among security domains * The mapping of identities and credentials is the realization/incarnation of trust relationships * Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.]
I find it surprising the subject of delegation of access rights isn't even mentioned.
Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" < <mailto:blaird@microsoft.com> blaird@microsoft.com> To: < <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Hi all,
I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections.
Regards, Blair
-----Original Message----- From: <mailto:ogsa-wg-bounces@ogf.org> ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to <https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa> https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from <https://forge.gridforum.org/sf/go/doc14408?nav=1> https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
<http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com> http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill < <mailto:Alan.Sill@ttu.edu> Alan.Sill@ttu.edu> To: Duane Merrill < <mailto:dgm4d@virginia.edu> dgm4d@virginia.edu> Cc: <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org <http://www.ogf.org/mailman/listinfo/ogsa-wg> http://www.ogf.org/mailman/listinfo/ogsa-wg -- ogsa-wg mailing list <mailto:ogsa-wg@ogf.org> ogsa-wg@ogf.org <http://www.ogf.org/mailman/listinfo/ogsa-wg> http://www.ogf.org/mailman/listinfo/ogsa-wg
Marty, perhaps you miss my point. I was not suggesting that the model "wave its hands vigorously" regarding delegation requirements. In fact, quite the opposite: I am not aware of any spec or profile that gives consideration to delegation requirements within a federated model. For example, a SecPAL delegation statement like "Alice says Cluster can read /project/data if currentTime() < 07/09/2008" may have to undergo mapping during federated access to adjust the principals due to credential translation, or perhaps to translate the requirement to a different delegation policy language understood by the resource provider, etc. I was suggesting that the model address delegation with the same attitude as it addresses credential and security policy mechanisms; opportunities to assert relevance arise from filtering these features through the OGSA philosophies of site-autonomy, separation-of-policy-and-mechanism, etc. It may not jibe with the philosophies to require a specific brand of delegation in the same vein that it doesn't fly to mandate a specific global credentialing mechanism or a specific set of secure communication requirements. -Duane ----- Original Message ----- From: Marty Humphrey To: ogsa-wg@ogf.org Sent: Friday, October 12, 2007 8:01 AM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 "OGSA Security" has the challenge of asserting and showing relevance to the broader community; just assuming relevance is a mistake in my opinion. One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security". To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance. -- Marty From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 3:49 AM To: Blair Dillaway; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 With regard to some of Blair's comments: [Primer] >>> "OGSA security model addresses trust management via the profiling of >>> mechanisms defined in the WS-Trust specification in order to realize trust >>> relationships as rules and policies for mapping identities and credentials >>> among the involved organization domains." [Blair's comments] > WS-Trust focuses on a protocol for obtaining, exchanging, validating, . > security tokens. Section 2 briefly discusses trust policies and mentions > some mechanism for establishing the base trust policy. These are, > however, non-normative and not required by WS-Trust. It also doesn't > address issuance policy at a token service. So its not really a sufficient > basis for establishing "trust relationships as rules and policies". WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that: a.. WS-Trust establishes the notion of token services b.. Token services are useful for mapping identities and credentials among security domains c.. The mapping of identities and credentials is the realization/incarnation of trust relationships d.. Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.] > I find it surprising the subject of delegation of access rights isn't even mentioned. Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" <blaird@microsoft.com> To: <ogsa-wg@ogf.org> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Hi all,
I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections.
Regards, Blair
-----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu> To: Duane Merrill <dgm4d@virginia.edu> Cc: ogsa-wg@ogf.org Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
------------------------------------------------------------------------------ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
I should also mention that I agree with Blair: delegation is desirable in many use-cases and should be given attention in the Primer. The issue is what the message to Primer's audience should be regarding delegation. I suggest that it is an issue to be closely tied in with the federation of credentials. Duane ----- Original Message ----- From: Duane Merrill III To: Marty Humphrey ; ogsa-wg@ogf.org Sent: Friday, October 12, 2007 11:13 AM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 Marty, perhaps you miss my point. I was not suggesting that the model "wave its hands vigorously" regarding delegation requirements. In fact, quite the opposite: I am not aware of any spec or profile that gives consideration to delegation requirements within a federated model. For example, a SecPAL delegation statement like "Alice says Cluster can read /project/data if currentTime() < 07/09/2008" may have to undergo mapping during federated access to adjust the principals due to credential translation, or perhaps to translate the requirement to a different delegation policy language understood by the resource provider, etc. I was suggesting that the model address delegation with the same attitude as it addresses credential and security policy mechanisms; opportunities to assert relevance arise from filtering these features through the OGSA philosophies of site-autonomy, separation-of-policy-and-mechanism, etc. It may not jibe with the philosophies to require a specific brand of delegation in the same vein that it doesn't fly to mandate a specific global credentialing mechanism or a specific set of secure communication requirements. -Duane ----- Original Message ----- From: Marty Humphrey To: ogsa-wg@ogf.org Sent: Friday, October 12, 2007 8:01 AM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 "OGSA Security" has the challenge of asserting and showing relevance to the broader community; just assuming relevance is a mistake in my opinion. One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security". To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance. -- Marty From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 3:49 AM To: Blair Dillaway; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 With regard to some of Blair's comments: [Primer] >>> "OGSA security model addresses trust management via the profiling of >>> mechanisms defined in the WS-Trust specification in order to realize trust >>> relationships as rules and policies for mapping identities and credentials >>> among the involved organization domains." [Blair's comments] > WS-Trust focuses on a protocol for obtaining, exchanging, validating, . > security tokens. Section 2 briefly discusses trust policies and mentions > some mechanism for establishing the base trust policy. These are, > however, non-normative and not required by WS-Trust. It also doesn't > address issuance policy at a token service. So its not really a sufficient > basis for establishing "trust relationships as rules and policies". WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that: a.. WS-Trust establishes the notion of token services b.. Token services are useful for mapping identities and credentials among security domains c.. The mapping of identities and credentials is the realization/incarnation of trust relationships d.. Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.] > I find it surprising the subject of delegation of access rights isn't even mentioned. Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" <blaird@microsoft.com> To: <ogsa-wg@ogf.org> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 > Hi all, > > I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections. > > Regards, > Blair > >> -----Original Message----- >> From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On >> Behalf Of Andreas Savva >> Sent: Wednesday, October 03, 2007 6:39 PM >> To: Hiro Kishimoto; Alan Sill >> Cc: ogsa-wg@ogf.org >> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 >> >> After the last Primer review I created an issue tracker. Please post >> issues relating to this document to >> https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- >> wg/tracker.ogsa_primer >> >> Also the latest version of the document may be retrieved from >> https://forge.gridforum.org/sf/go/doc14408?nav=1 >> >> Thanks Duane for uploading. >> >> Andreas >> >> Hiro Kishimoto wrote: >> > Thanks Alan, >> > >> > Please provide your feedback to Duane and Andrew. >> > We will review revised document on Oct. 19 (Fri) at >> > OGSA-WG F2F meeting in OGF21 Hotel. Please join us in >> > person or dial-in. >> > >> > http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com >> > >> > Thanks, >> > ---- >> > Hiro Kishimoto >> > >> > -------- Original Message -------- >> > Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 >> > From: Alan Sill <Alan.Sill@ttu.edu> >> > To: Duane Merrill <dgm4d@virginia.edu> >> > Cc: ogsa-wg@ogf.org >> > Date: 2007/10/03 23:05 >> > >> >> I am traveling today and tomorrow and will miss this discussion. I >> >> do intend to contribute something in this area soon. >> >> >> >> I think the direction that has been started with the Express >> Profile, >> >> including work to allow SSL/TLS and possibly Kerberos >> communications, >> >> as examples, and to allow services to "express" the AuthN methods >> >> that they respect, and can use, is potentially very important, and >> >> with some work, might find real-world use case possibilities in the >> >> not too distant future. (I realize that this was not the sense of >> >> "express" meant here, but could not resist the pun.) There are some >> >> projects of which I am aware that could use exactly this feature in >> >> the near future. SO just wanted to encourage work to continue in >> >> this area. >> >> >> >> Alan >> >> >> >> On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote: >> >> >> >>> Everyone, I have updated the primer document to include a draft of >> >>> Section 3.5: Security. I realize that it is always tenuous to >> >>> submit a large section to a document hours before it is up for >> >>> review, and I apologize. If anyone has the time to inspect the new >> >>> section, feedback and suggestions this evening would be fantastic. >> >>> I've uploaded it to Gridforge as v.5 and attached it to this mail >> >>> as well. >> >>> >> >>> Duane >> >>>> ----- Original Message ----- >> >>>> From: Andrew Grimshaw >> >>>> To: ogsa-wg@ogf.org >> >>>> Sent: Thursday, September 20, 2007 12:34 PM >> >>>> Subject: [ogsa-wg] Latest draft - v4 >> >>>> >> >>>> All, >> >>>> >> >>>> Attached is the latest draft of the primer. Most of the pieces are >> >>>> now in place. We still need sections 3.4-3.7, and of course >> >>>> reviews by people. The section on the data center use case is >> >>>> waiting for whoever wanted it in there to write it. >> >>>> >> >>>> >> >>>> >> >>>> The adoption section I'd like to talk about in a conference call >> >>>> to make sure it is a) correct, and b) saying what we want it to >> say. >> >>>> >> >>>> >> >>>> >> >>>> Summary will wait till the end. >> >>>> >> >>>> >> >>>> >> >>>> A >> >>>> >> >>> <OGSA Primer -v5.doc> >> >> >> -- >> Andreas Savva >> Fujitsu Laboratories Ltd >> >> -- >> ogsa-wg mailing list >> ogsa-wg@ogf.org >> http://www.ogf.org/mailman/listinfo/ogsa-wg > -- > ogsa-wg mailing list > ogsa-wg@ogf.org > http://www.ogf.org/mailman/listinfo/ogsa-wg > ---------------------------------------------------------------------------- -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg ------------------------------------------------------------------------------ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Duane, My reasons for asking about delegation are in line with Marty's concern. Delegation is a long standing requirement in Grid systems that has been discussed for many years and a number of different approaches have been developed for addressing it. For example, all the work around technologies such as attribute certificates and MyProxy servers. I believe an OGSA primer should at least acknowledge these needs. While I happen to think SecPAL provides a great way to express delegations, its still a research project and I'm would not suggest you reference it this primer. Re: 'realizing trust relationships' Your seem to be interpreting your sentence in a way I find very odd. I expect many other people will not read this as you seem to intend and I suggest you re-word it. Regards, Blair From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 8:13 AM To: Marty Humphrey; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 Marty, perhaps you miss my point. I was not suggesting that the model "wave its hands vigorously" regarding delegation requirements. In fact, quite the opposite: I am not aware of any spec or profile that gives consideration to delegation requirements within a federated model. For example, a SecPAL delegation statement like "Alice says Cluster can read /project/data if currentTime() < 07/09/2008" may have to undergo mapping during federated access to adjust the principals due to credential translation, or perhaps to translate the requirement to a different delegation policy language understood by the resource provider, etc. I was suggesting that the model address delegation with the same attitude as it addresses credential and security policy mechanisms; opportunities to assert relevance arise from filtering these features through the OGSA philosophies of site-autonomy, separation-of-policy-and-mechanism, etc. It may not jibe with the philosophies to require a specific brand of delegation in the same vein that it doesn't fly to mandate a specific global credentialing mechanism or a specific set of secure communication requirements. -Duane ----- Original Message ----- From: Marty Humphrey<mailto:humphrey@cs.virginia.edu> To: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Sent: Friday, October 12, 2007 8:01 AM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 "OGSA Security" has the challenge of asserting and showing relevance to the broader community; just assuming relevance is a mistake in my opinion. One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security". To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance. -- Marty From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 3:49 AM To: Blair Dillaway; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 With regard to some of Blair's comments: [Primer]
"OGSA security model addresses trust management via the profiling of mechanisms defined in the WS-Trust specification in order to realize trust relationships as rules and policies for mapping identities and credentials among the involved organization domains." [Blair's comments] WS-Trust focuses on a protocol for obtaining, exchanging, validating, ... security tokens. Section 2 briefly discusses trust policies and mentions some mechanism for establishing the base trust policy. These are, however, non-normative and not required by WS-Trust. It also doesn't address issuance policy at a token service. So its not really a sufficient basis for establishing "trust relationships as rules and policies". WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that:
* WS-Trust establishes the notion of token services * Token services are useful for mapping identities and credentials among security domains * The mapping of identities and credentials is the realization/incarnation of trust relationships * Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.]
I find it surprising the subject of delegation of access rights isn't even mentioned.
Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" <blaird@microsoft.com<mailto:blaird@microsoft.com>> To: <ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org>> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Hi all,
I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections.
Regards, Blair
-----Original Message----- From: ogsa-wg-bounces@ogf.org<mailto:ogsa-wg-bounces@ogf.org> [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu<mailto:Alan.Sill@ttu.edu>> To: Duane Merrill <dgm4d@virginia.edu<mailto:dgm4d@virginia.edu>> Cc: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> http://www.ogf.org/mailman/listinfo/ogsa-wg -- ogsa-wg mailing list ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> http://www.ogf.org/mailman/listinfo/ogsa-wg
________________________________ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
... correction. I meant 'x.509 proxy certificates' , not attribute certificates, in the first paragraph below. /Blair From: Blair Dillaway Sent: Friday, October 12, 2007 11:00 AM To: 'Duane Merrill III'; Marty Humphrey; ogsa-wg@ogf.org Subject: RE: [ogsa-wg] OGSA Primer Newest Latest draft - v5 Duane, My reasons for asking about delegation are in line with Marty's concern. Delegation is a long standing requirement in Grid systems that has been discussed for many years and a number of different approaches have been developed for addressing it. For example, all the work around technologies such as attribute certificates and MyProxy servers. I believe an OGSA primer should at least acknowledge these needs. While I happen to think SecPAL provides a great way to express delegations, its still a research project and I'm would not suggest you reference it this primer. Re: 'realizing trust relationships' Your seem to be interpreting your sentence in a way I find very odd. I expect many other people will not read this as you seem to intend and I suggest you re-word it. Regards, Blair From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 8:13 AM To: Marty Humphrey; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 Marty, perhaps you miss my point. I was not suggesting that the model "wave its hands vigorously" regarding delegation requirements. In fact, quite the opposite: I am not aware of any spec or profile that gives consideration to delegation requirements within a federated model. For example, a SecPAL delegation statement like "Alice says Cluster can read /project/data if currentTime() < 07/09/2008" may have to undergo mapping during federated access to adjust the principals due to credential translation, or perhaps to translate the requirement to a different delegation policy language understood by the resource provider, etc. I was suggesting that the model address delegation with the same attitude as it addresses credential and security policy mechanisms; opportunities to assert relevance arise from filtering these features through the OGSA philosophies of site-autonomy, separation-of-policy-and-mechanism, etc. It may not jibe with the philosophies to require a specific brand of delegation in the same vein that it doesn't fly to mandate a specific global credentialing mechanism or a specific set of secure communication requirements. -Duane ----- Original Message ----- From: Marty Humphrey<mailto:humphrey@cs.virginia.edu> To: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Sent: Friday, October 12, 2007 8:01 AM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 "OGSA Security" has the challenge of asserting and showing relevance to the broader community; just assuming relevance is a mistake in my opinion. One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security". To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance. -- Marty From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Duane Merrill III Sent: Friday, October 12, 2007 3:49 AM To: Blair Dillaway; ogsa-wg@ogf.org Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 With regard to some of Blair's comments: [Primer]
"OGSA security model addresses trust management via the profiling of mechanisms defined in the WS-Trust specification in order to realize trust relationships as rules and policies for mapping identities and credentials among the involved organization domains." [Blair's comments] WS-Trust focuses on a protocol for obtaining, exchanging, validating, ... security tokens. Section 2 briefly discusses trust policies and mentions some mechanism for establishing the base trust policy. These are, however, non-normative and not required by WS-Trust. It also doesn't address issuance policy at a token service. So its not really a sufficient basis for establishing "trust relationships as rules and policies". WS-Trust doesn't establish relationships, it helps realize established relationships. This sentence is basically saying that:
* WS-Trust establishes the notion of token services * Token services are useful for mapping identities and credentials among security domains * The mapping of identities and credentials is the realization/incarnation of trust relationships * Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior [Blair's comments con't.]
I find it surprising the subject of delegation of access rights isn't even mentioned.
Aren't we just assuming everyone will use SecPAL assertions? Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture. -Duane ----- Original Message ----- From: "Blair Dillaway" <blaird@microsoft.com<mailto:blaird@microsoft.com>> To: <ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org>> Sent: Friday, October 05, 2007 7:29 PM Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Hi all,
I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections.
Regards, Blair
-----Original Message----- From: ogsa-wg-bounces@ogf.org<mailto:ogsa-wg-bounces@ogf.org> [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Andreas Savva Sent: Wednesday, October 03, 2007 6:39 PM To: Hiro Kishimoto; Alan Sill Cc: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
After the last Primer review I created an issue tracker. Please post issues relating to this document to https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- wg/tracker.ogsa_primer
Also the latest version of the document may be retrieved from https://forge.gridforum.org/sf/go/doc14408?nav=1
Thanks Duane for uploading.
Andreas
Hiro Kishimoto wrote:
Thanks Alan,
Please provide your feedback to Duane and Andrew. We will review revised document on Oct. 19 (Fri) at OGSA-WG F2F meeting in OGF21 Hotel. Please join us in person or dial-in.
http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com
Thanks, ---- Hiro Kishimoto
-------- Original Message -------- Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Alan Sill <Alan.Sill@ttu.edu<mailto:Alan.Sill@ttu.edu>> To: Duane Merrill <dgm4d@virginia.edu<mailto:dgm4d@virginia.edu>> Cc: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Date: 2007/10/03 23:05
I am traveling today and tomorrow and will miss this discussion. I do intend to contribute something in this area soon.
I think the direction that has been started with the Express Profile, including work to allow SSL/TLS and possibly Kerberos communications, as examples, and to allow services to "express" the AuthN methods that they respect, and can use, is potentially very important, and with some work, might find real-world use case possibilities in the not too distant future. (I realize that this was not the sense of "express" meant here, but could not resist the pun.) There are some projects of which I am aware that could use exactly this feature in the near future. SO just wanted to encourage work to continue in this area.
Alan
On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote:
Everyone, I have updated the primer document to include a draft of Section 3.5: Security. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- From: Andrew Grimshaw To: ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> Sent: Thursday, September 20, 2007 12:34 PM Subject: [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I'd like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
<OGSA Primer -v5.doc>
-- Andreas Savva Fujitsu Laboratories Ltd
-- ogsa-wg mailing list ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> http://www.ogf.org/mailman/listinfo/ogsa-wg -- ogsa-wg mailing list ogsa-wg@ogf.org<mailto:ogsa-wg@ogf.org> http://www.ogf.org/mailman/listinfo/ogsa-wg
________________________________ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Things that I would suggest we communicate re: delegation in the primer: * Delegation is a useful feature to be addressed and supported by the architecture. (I hesitate at making it a /requirement /for participating in the architecture: composition of features, no-pay-no-play, etc.). Perhaps also include a motivating simple generic use-case of: "I want to run my job, the executor needs to obtain resources/input on my behalf, etc." * Delegation mechanisms have historically been closely tied to credential mechanisms (e.g., X-509 proxy certs and MyProxy, holder-of-key SAML assertions, etc.), which we have stated the OGSA is to be flexible with in terms of type, subject to profiling by the OGSA security model. (Grand-unifying delegation specifications pending....) * Delegation statements that are included within or alongside credentials will face federation issues that trust policy will have to address in addition to simple token-mapping (i.e., what happens during credential mapping between security domains) Although my original statement was somewhat flippant, I would still consider this treatment of delegation as "tossing it in with the current treatment of credentials and security policy": in many cases the important decisions regarding requirements for type and semantics/policy will remain with the service provider and their trust agreements. -Duane Blair Dillaway wrote:
... correction. I meant 'x.509 proxy certificates' , not attribute certificates, in the first paragraph below.
/Blair
*From:* Blair Dillaway *Sent:* Friday, October 12, 2007 11:00 AM *To:* 'Duane Merrill III'; Marty Humphrey; ogsa-wg@ogf.org *Subject:* RE: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Duane,
My reasons for asking about delegation are in line with Marty's concern. Delegation is a long standing requirement in Grid systems that has been discussed for many years and a number of different approaches have been developed for addressing it. For example, all the work around technologies such as attribute certificates and MyProxy servers. I believe an OGSA primer should at least acknowledge these needs.
While I happen to think SecPAL provides a great way to express delegations, its still a research project and I'm would not suggest you reference it this primer.
Re: 'realizing trust relationships'
Your seem to be interpreting your sentence in a way I find very odd. I expect many other people will not read this as you seem to intend and I suggest you re-word it.
Regards,
Blair
*From:* ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] *On Behalf Of *Duane Merrill III *Sent:* Friday, October 12, 2007 8:13 AM *To:* Marty Humphrey; ogsa-wg@ogf.org *Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
Marty, perhaps you miss my point.
I was not suggesting that the model "wave its hands vigorously" regarding delegation requirements. In fact, quite the opposite: I am not aware of any spec or profile that gives consideration to delegation requirements within a federated model. For example, a SecPAL delegation statement like "/Alice/ says /Cluster/ can read //project/data/ if /currentTime/() </ 07/09/2008/" may have to undergo mapping during federated access to adjust the principals due to credential translation, or perhaps to translate the requirement to a different delegation policy language understood by the resource provider, etc.
I was suggesting that the model address delegation with the same attitude as it addresses credential and security policy mechanisms; opportunities to assert relevance arise from filtering these features through the OGSA philosophies of site-autonomy, separation-of-policy-and-mechanism, etc. It may not jibe with the philosophies to require a specific brand of delegation in the same vein that it doesn't fly to mandate a specific global credentialing mechanism or a specific set of secure communication requirements.
-Duane
----- Original Message -----
*From:* Marty Humphrey <mailto:humphrey@cs.virginia.edu>
*To:* ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org>
*Sent:* Friday, October 12, 2007 8:01 AM
*Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
"OGSA Security" has the challenge of asserting and showing /relevance/ to the broader community; just assuming relevance is a mistake in my opinion.
One way to assert relevance is to clearly identify requirements that are arguably unique to "OGSA Security".
To state that delegation is to be merely implicitly "tossed in with security policy and credential management" is a mistake and fails to exploit an obvious opportunity to directly assert relevance.
-- Marty
*From:* ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] *On Behalf Of *Duane Merrill III *Sent:* Friday, October 12, 2007 3:49 AM *To:* Blair Dillaway; ogsa-wg@ogf.org *Subject:* Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
With regard to some of Blair's comments:
*[Primer]*
>>> "OGSA security model addresses trust management via the profiling of
>>> mechanisms defined in the WS-Trust specification in order to realize trust
>>> relationships as rules and policies for mapping identities and credentials
>>> among the involved organization domains."
*[Blair's comments]*
> WS-Trust focuses on a protocol for obtaining, exchanging, validating, ...
> security tokens. Section 2 briefly discusses trust policies and mentions
> some mechanism for establishing the base trust policy. These are,
> however, non-normative and not required by WS-Trust. It also doesn't
> address issuance policy at a token service. So its not really a sufficient > basis for establishing "trust relationships as rules and policies".
WS-Trust doesn't /establish/ relationships, it helps /realize /established relationships. This sentence is basically saying that:
* WS-Trust establishes the notion of token services * Token services are useful for mapping identities and credentials among security domains * The mapping of identities and credentials is the realization/incarnation of trust relationships * Vague hinting that the model will incorporate the profiling of WS-Trust to establish more normative behavior
*[Blair's comments con't.]*
> I find it surprising the subject of delegation of access rights isn't even mentioned.
Aren't we just assuming everyone will use SecPAL assertions?
Honestly, one might argue that delegation of access rights should be treated in the same vein as security token types; claims of delegation criteria will probably have to be federated in a similar vein as tokens themselves. Thus delegation is tossed in with security policy & credential mechanism: all to be the responisibility of the service providers and profiled in the common-cases by the OGSA security architecture.
-Duane
----- Original Message -----
From: "Blair Dillaway" <blaird@microsoft.com <mailto:blaird@microsoft.com>>
To: <ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org>>
Sent: Friday, October 05, 2007 7:29 PM
Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5
> Hi all, > > I have reviewed the latest draft and posted my comments into the tracker. I assigned the item to Andreas assuming he'd know who'd be interested in comments on the different sections. > > Regards, > Blair > >> -----Original Message----- >> From: ogsa-wg-bounces@ogf.org <mailto:ogsa-wg-bounces@ogf.org> [mailto:ogsa-wg-bounces@ogf.org] On >> Behalf Of Andreas Savva >> Sent: Wednesday, October 03, 2007 6:39 PM >> To: Hiro Kishimoto; Alan Sill >> Cc: ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> >> Subject: Re: [ogsa-wg] OGSA Primer Newest Latest draft - v5 >> >> After the last Primer review I created an issue tracker. Please post >> issues relating to this document to >> https://forge.gridforum.org/sf/tracker/do/listArtifacts/projects.ogsa- >> wg/tracker.ogsa_primer >> >> Also the latest version of the document may be retrieved from >> https://forge.gridforum.org/sf/go/doc14408?nav=1 >> >> Thanks Duane for uploading. >> >> Andreas >> >> Hiro Kishimoto wrote: >> > Thanks Alan, >> > >> > Please provide your feedback to Duane and Andrew. >> > We will review revised document on Oct. 19 (Fri) at >> > OGSA-WG F2F meeting in OGF21 Hotel. Please join us in >> > person or dial-in. >> > >> > http://www.google.com/calendar/embed?src=ogsa.wg%40gmail.com >> > >> > Thanks, >> > ---- >> > Hiro Kishimoto >> > >> > -------- Original Message -------- >> > Subject: Re:[ogsa-wg] OGSA Primer Newest Latest draft - v5 >> > From: Alan Sill <Alan.Sill@ttu.edu <mailto:Alan.Sill@ttu.edu>> >> > To: Duane Merrill <dgm4d@virginia.edu <mailto:dgm4d@virginia.edu>> >> > Cc: ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> >> > Date: 2007/10/03 23:05 >> > >> >> I am traveling today and tomorrow and will miss this discussion. I >> >> do intend to contribute something in this area soon. >> >> >> >> I think the direction that has been started with the Express >> Profile, >> >> including work to allow SSL/TLS and possibly Kerberos >> communications, >> >> as examples, and to allow services to "express" the AuthN methods >> >> that they respect, and can use, is potentially very important, and >> >> with some work, might find real-world use case possibilities in the >> >> not too distant future. (I realize that this was not the sense of >> >> "express" meant here, but could not resist the pun.) There are some >> >> projects of which I am aware that could use exactly this feature in >> >> the near future. SO just wanted to encourage work to continue in >> >> this area. >> >> >> >> Alan >> >> >> >> On Oct 1, 2007, at 3:04 PM, Duane Merrill wrote: >> >> >> >>> Everyone, I have updated the primer document to include a draft of >> >>> Section 3.5: Security. I realize that it is always tenuous to >> >>> submit a large section to a document hours before it is up for >> >>> review, and I apologize. If anyone has the time to inspect the new >> >>> section, feedback and suggestions this evening would be fantastic. >> >>> I've uploaded it to Gridforge as v.5 and attached it to this mail >> >>> as well. >> >>> >> >>> Duane >> >>>> ----- Original Message ----- >> >>>> From: Andrew Grimshaw >> >>>> To: ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> >> >>>> Sent: Thursday, September 20, 2007 12:34 PM >> >>>> Subject: [ogsa-wg] Latest draft - v4 >> >>>> >> >>>> All, >> >>>> >> >>>> Attached is the latest draft of the primer. Most of the pieces are >> >>>> now in place. We still need sections 3.4-3.7, and of course >> >>>> reviews by people. The section on the data center use case is >> >>>> waiting for whoever wanted it in there to write it. >> >>>> >> >>>> >> >>>> >> >>>> The adoption section I'd like to talk about in a conference call >> >>>> to make sure it is a) correct, and b) saying what we want it to >> say. >> >>>> >> >>>> >> >>>> >> >>>> Summary will wait till the end. >> >>>> >> >>>> >> >>>> >> >>>> A >> >>>> >> >>> <OGSA Primer -v5.doc> >> >> >> -- >> Andreas Savva >> Fujitsu Laboratories Ltd >> >> -- >> ogsa-wg mailing list >> ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> >> http://www.ogf.org/mailman/listinfo/ogsa-wg > -- > ogsa-wg mailing list > ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> > http://www.ogf.org/mailman/listinfo/ogsa-wg >
------------------------------------------------------------------------
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Duane Merrill wrote:
* Delegation is a useful feature to be addressed and supported by the architecture. (I hesitate at making it a /requirement /for participating in the architecture: composition of features, no-pay-no-play, etc.). Perhaps also include a motivating simple generic use-case of: "I want to run my job, the executor needs to obtain resources/input on my behalf, etc."
Good use cases for delegation can include portals and workflow engines. It can sometimes also be useful during resource discovery.
* Delegation mechanisms have historically been closely tied to credential mechanisms (e.g., X-509 proxy certs and MyProxy, holder-of-key SAML assertions, etc.), which we have stated the OGSA is to be flexible with in terms of type, subject to profiling by the OGSA security model. (Grand-unifying delegation specifications pending....)
Be careful here not to fall into the Usual Security Trap. That's where you say "you can do this, or you can do that, or you can do the other, and there's a bazillion ways to combine them". Implementors hate that sort of thing, since it gives them very little guidance as to what to really write. Fewer options, more utility. :-) Donal.
Hi Duane and Andrew, I've added my comments to draft v5 and made it v5.1. I did not know Duane already uploaded his new draft v6 on the gridForge. The attached is an update of v5 thus we need to merge. Sorry for the last minutes posting but let's review mine and Duane's at the OGSA primer session today. Thanks, ---- Hiro Kishimoto -------- Original Message -------- Subject: [ogsa-wg] OGSA Primer Newest Latest draft - v5 From: Duane Merrill <dgm4d@virginia.edu> To: ogsa-wg@ogf.org Date: 2007/10/02 5:04
Everyone, I have updated the primer document to include a draft of /Section 3.5: Security/. I realize that it is always tenuous to submit a large section to a document hours before it is up for review, and I apologize. If anyone has the time to inspect the new section, feedback and suggestions this evening would be fantastic. I've uploaded it to Gridforge as v.5 and attached it to this mail as well.
Duane
----- Original Message ----- *From:* Andrew Grimshaw <mailto:grimshaw@virginia.edu> *To:* ogsa-wg@ogf.org <mailto:ogsa-wg@ogf.org> *Sent:* Thursday, September 20, 2007 12:34 PM *Subject:* [ogsa-wg] Latest draft - v4
All,
Attached is the latest draft of the primer. Most of the pieces are now in place. We still need sections 3.4-3.7, and of course reviews by people. The section on the data center use case is waiting for whoever wanted it in there to write it.
The adoption section I’d like to talk about in a conference call to make sure it is a) correct, and b) saying what we want it to say.
Summary will wait till the end.
A
------------------------------------------------------------------------ -- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
------------------------------------------------------------------------
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
participants (9)
-
Alan Sill -
Andreas Savva -
Andrew Grimshaw -
Blair Dillaway -
Donal K. Fellows -
Duane Merrill -
Duane Merrill III
-
Hiro Kishimoto -
Marty Humphrey