Security Web Service Specifications
Everyone, I mentioned on the call today that the Liberty Alliance effort has defined ID-WSF, a web services framework for identity management functions that may be useful to OGSA. It allows for fairly powerful identity management and integrates well with SAML and others. http://www.projectliberty.org/resource_center/specifications/ liberty_alliance_id_wsf_2_0_specifications I think it's also worth taking some time to analyze WS-Trust, a specification that intends to generalize security token exchange. http://www-128.ibm.com/developerworks/library/specification/ws-trust/ I'll just set these out for informational purposes right now without making any particular recommendations. These could both feed into profiling efforts surrounding WS-Security and WS-SecureConversation. As you read this, I'd ask you to please keep a mental distinction between protocol and token format. Thanks for your time, Nate.
It's timely to note that WS-Trust and WS-SecureConversation are both up for the vote to be approved as OASIS standards. Ballots close Wednesday. Stephen
-----Original Message----- From: ogsa-wg-bounces@ogf.org [mailto:ogsa-wg-bounces@ogf.org] On Behalf Of Nate Klingenstein Sent: 26 February 2007 22:56 To: ogsa-wg@ogf.org Subject: [ogsa-wg] Security Web Service Specifications
Everyone,
I mentioned on the call today that the Liberty Alliance effort has defined ID-WSF, a web services framework for identity management functions that may be useful to OGSA. It allows for fairly powerful identity management and integrates well with SAML and others.
http://www.projectliberty.org/resource_center/specifications/ liberty_alliance_id_wsf_2_0_specifications
I think it's also worth taking some time to analyze WS-Trust, a specification that intends to generalize security token exchange.
http://www-128.ibm.com/developerworks/library/specification/ws-trust/
I'll just set these out for informational purposes right now without making any particular recommendations. These could both feed into profiling efforts surrounding WS-Security and WS-SecureConversation. As you read this, I'd ask you to please keep a mental distinction between protocol and token format.
Thanks for your time, Nate.
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Hi Nate WS-Trust is the spec that we have profiled in OGSA-Authz for communicating between the PEP and the CVS. See http://forge.gridforum.org/sf/go/doc9011?nav=1 regards David Nate Klingenstein wrote:
Everyone,
I mentioned on the call today that the Liberty Alliance effort has defined ID-WSF, a web services framework for identity management functions that may be useful to OGSA. It allows for fairly powerful identity management and integrates well with SAML and others.
http://www.projectliberty.org/resource_center/specifications/ liberty_alliance_id_wsf_2_0_specifications
I think it's also worth taking some time to analyze WS-Trust, a specification that intends to generalize security token exchange.
http://www-128.ibm.com/developerworks/library/specification/ws-trust/
I'll just set these out for informational purposes right now without making any particular recommendations. These could both feed into profiling efforts surrounding WS-Security and WS-SecureConversation. As you read this, I'd ask you to please keep a mental distinction between protocol and token format.
Thanks for your time, Nate.
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
Hi Nate, Could you elaborate a little on where you think Liberty ID-WSF might integrate into the protocol stack? Or maybe another way to put this is: What components of Liberty ID-WSF (which is huge!) do you think are relevant here? If Shibboleth chooses to align with Liberty, I think that's fine, but it's not at all clear to me how this impacts the Grid, and hence my questions above. Speaking as a Globus developer, Liberty ID-WSF in Globus Toolkit (if that's what you're proposing) will be a hard sell since 1) Globus has already made significant investments in WS-Security and WS-SecureConversation, and 2) ID-WSF may be incompatible with WSRF (in their use of WS-Addressing, in particular). If you can shed any light on this issue, that would be great. Thanks, Tom Scavo NCSA On 2/26/07, Nate Klingenstein <ndk@internet2.edu> wrote:
Everyone,
I mentioned on the call today that the Liberty Alliance effort has defined ID-WSF, a web services framework for identity management functions that may be useful to OGSA. It allows for fairly powerful identity management and integrates well with SAML and others.
http://www.projectliberty.org/resource_center/specifications/ liberty_alliance_id_wsf_2_0_specifications
I think it's also worth taking some time to analyze WS-Trust, a specification that intends to generalize security token exchange.
http://www-128.ibm.com/developerworks/library/specification/ws-trust/
I'll just set these out for informational purposes right now without making any particular recommendations. These could both feed into profiling efforts surrounding WS-Security and WS-SecureConversation. As you read this, I'd ask you to please keep a mental distinction between protocol and token format.
Thanks for your time, Nate.
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
Tom, Excellent questions. Let me go a little bit into my personal views here. I have been mentioning ID-WSF in a few different threads, but not because I have any particular fondness for the specification suite in particular. It's the structure of three concepts that it supports that I think are of great importance: 1) ID-WSF provides a way to describe in a security credential a location, protocol, and identifier to use to retrieve additional identity information/services associated with that credential. My general philosophy is "push everything that you can, and if there's something you can't push, then push what's needed to pull it." ID- WSF endpoint references in SAML tokens allow for that. 2) The query service is close to what I would consider a generalization of the attribute authority. It's a better place to end up at from an endpoint reference because it's more flexible: return the attributes if you have them, and if not, then point off towards other places. It offloads from the SP the requirement to match attributes it needs to identity sources, which has the potential to customize that functionality per user and also help preserve privacy. 3) The ability to treat the client device itself as a web service capable of acting (roughly) as a provider in specialized circumstances offers interesting delegation and client-generated credential possibilities. I don't think the Shibboleth project has made any commitment towards or against ID-WSF at this point. If we could replicate the pieces of functionality I describe above in an alternative way, I'd absolutely support that. Those are the specific pieces of the Liberty specifications that I'm interested in and the places I'd use it. I hope that addresses your first set of questions. There are a lot of overlaps with the other specifications, particularly WS-Trust and WSRF. I would be very interested in any suggestions you have about how to represent the functionality I refer to above using protocols or specs that are more amenable to Globus integration. Very useful conversation, Nate. On 28 Feb 2007, at 18:49, Tom Scavo wrote:
Hi Nate,
Could you elaborate a little on where you think Liberty ID-WSF might integrate into the protocol stack? Or maybe another way to put this is: What components of Liberty ID-WSF (which is huge!) do you think are relevant here?
If Shibboleth chooses to align with Liberty, I think that's fine, but it's not at all clear to me how this impacts the Grid, and hence my questions above. Speaking as a Globus developer, Liberty ID-WSF in Globus Toolkit (if that's what you're proposing) will be a hard sell since 1) Globus has already made significant investments in WS-Security and WS-SecureConversation, and 2) ID-WSF may be incompatible with WSRF (in their use of WS-Addressing, in particular).
If you can shed any light on this issue, that would be great.
Thanks,
Tom Scavo NCSA
participants (4)
-
David Chadwick -
Nate Klingenstein -
Stephen M Pickles -
Tom Scavo