GGF-10 OGSA Authorization WG 12 March 2004 =========================================== MT=Mary Thompson; AM=Andrew McNab; VW=Von Welsh; FS=Frank Siebenlist; ML=Markus Lorch; DS=Dane Skow; VC=Vincenzo Ciaschini; TM=Takuya Mori Agenda briefly discussed. Attribute Document - MT ----------------------- Review of attributes (eg Shibboleth) then how might use in OGSA context. Profiles for SAML and X.509. Some changes to Attribute profile ("problem" in all of underlying standards is that they're so extensible.) On mailing list, discussion started by FS about attributes/privileges, naming of attributes (global, or local to Issuer?) MT: may need to make this more explicit in document. VW: based on SAML 1.1, but ok since 2.0 not out. Do we feel VOMS attributes captured in document now? VC: yes, fairly happy now. DS: Question about identity just another attribute? Are we making a logical statement about them being equivalent, or just saying they are packaged that way? FS: The document sidesteps ID attributes as being special. Just treats them as another attribute. MT: another set of revisions needed. then where? VW: sounds like near completion. Working group should speak up now if there's another major you don't like. Close to completion, which is on timeline for the group (~GGF 11) MT: will send round again. Please read it if you've not already. Authorization Interface document - VW ------------------------------------- Based on SAML 1.1. "Authoriation decision assertion query response protocol" Development picked up again recently, shared between client end (VW/Globus) and service end (DC/PERMIS). If you have major issues, you need to speak up now. MT: Was WSDL in it? VW: No, just got WSDL from Argonne developers now, but will be in document soon. VW: WS-RF. No way to reference a WS-Resource obviously with a URI (OGSI used GSH = URI) WS-RF uses complex reference properties. Not clear how to map to URI for benefit of SAML etc. I suggest we don't address this yet. (WS-RF may change, no implementation experience.) FS: They are well aware of this problem. They are thinking about it a lot. VW: May be able to use extended endpoint references, but not clear yet. Don't hold off our document to wait for this. (Could do ad-hoc mapping via URI if necessary for progress.) Propose to broaden URI that refers to service not to be a single GSH. AM: That's nice since you can have a bunch of services within the same authorization subdomain that you can refer to with the same URI authz handle. VO Use Case and Security Services - TM -------------------------------------- FS: TM presents use cases, done with input from people in OGSA area. (See slides for detailed discussion of use cases.) Various discussions clarifying specific parts of the slides. OGSA Authz Group Admin issues - VW ---------------------------------- VW: Charter vs progress. Work happening on Attribute and Authorization callout, but not on policy (FS doing this in WS contexts.) FS: Add standardisation of attribute services. FS will propose revised charter which is more attribute focused, to the list. VW: MT suggested looking more closely at the Authz-WG glossary. Should do this.