GGF10 Authorization Frameworks and Mechanisms (AuthZ-WG) Meeting Thu Mar 11 2004 16:00-17:30 Agenda: - Update on Framework Document Progress (5 min) - Glossary Document Discussion (75 min) I intend to go over the current glossary draft (V3 of 2004-02-24) in detail: https://forge.gridforum.org/projects/authz-wg/document/Glossary_Draft/en/3 We currently have about 90 terms listed in the glossary. I hope to achieve two things in today's meeting: 1. Get consensus on the term descriptions 2. Elicit additional terms we should include. The current list is based on our AuthZ Framework document with a few additional items that have only been used in the OGSA AuthZ documents (highlighted). I suspect there are more OGSA terms we may want to include. - Future Plans of the WG (10 min) Pending the outcome of the Glossary discussion we can decide what to do with this WG. I currently don't have a new work proposal that would justify to recharter/keep this WG after Glossary document submission. Summary: - The framework document is submitted to the GGF Editor. It is important to show some discussion of the document on the mailing list. If you have comments, please post them. Also, please post to the mailing list if you support (agree with) the document. https://forge.gridforum.org/projects/authz-wg/document/Authorizaiton_Framework_Document_-_Editor_Submission_2004-03-05/en/1 - Most of the session was spent reviewing the glossary document. Markus made changes online to the document during the discussion, and the modified version is available at . Please review the document and make comments on the mailing list. The plan is to wrap-up the document before the next GGF. The OGSA AuthZ WG is reviewing the glossary document tomorrow, and Markus will ask the GGF policy research group to review it. - With both documents wrapping up, it is expected the WG will not need to meet again. The WG will remain active until the documents are accepted for publication. Minutes: Markus mentioned the GGF IP statement, passed around the sign-up sheet, and reviewed the agenda. Framework document WG last call Dec 25 - Jan 26. Referencing of OGSA Attributes Draft was suggested. Minor changes for clarification. Mary made some final edits. Submitted to GGF Editor on Mar 6 2004. Dane said it is worrisome there were no comments on documents. GFSG soliciting positive comments on the mailing list. How does OGSA Attributes draft relate to WSRF? Glossary document: Have about 90 terms in the glossary. Today: (1) Get consensus on term descriptions (2) Elicit additional terms we should include. Is this glossary intended to be included in OGSA WG glossary document? No. This document is specific to authorization terms. Other GGF AuthZ documents: Site AAA Requirements OGSA Attributes OGSA Security AuthZ Call-out Would be helpful if glossary would be used by other groups. Are there conflicts between different glossaries? OGSA AuthZ WG will review this document tomorrow. Each document will have local glossary but this glossary will provide more general terms. At this point Markus began reviewing the terms in the Glossary document. Will probably remove references to AuthZ Framework document before publication to make it a more general glossary document. Policy Decision Point originally defined in RFC 2753. Need to update Access Control Decision Function definition. Also RFC 3198 terminology document. Mention that enforcement functions are often application-dependent, as stated in ISO document. Access Policy also called Access Control Policy. Administrative Domain defined by unified entity that has control over machines. No complaints with definition as it currently stands. Property is another name for Attribute. Attribute definition should read, "A named property (type and value) associated with an entity." What is intention of information in an Attribute? Used for AuthZ decisions. Property (type and value) is very generic. Could be a whole policy or rule in an attribute. Change Attribute Assertion definition to "A statement that a subject is the holder of a specific attribute. In some cases the attribute has a single value, ..." Please propose additional small changes like these on the mailing list. What is Attribute Authority Domain for a frequent flyer card? Group of airlines that accept the card. But they are separate domains? Domain is established when they recognize each other's cards. There's an issuing domain and accepting domain(s) with a relationship between them. Not just one domain. Attribute Domain can cover several administrative domains? Attribute Domain is the accepting domain? Consensus that Attribute Domain is the group that recognizes the authority. Consider different frequent flyer levels. Need a gold card to access the lounge. Attribute Repository contains attribute information but not necessarily assertions? Could be backend database used by asserting authority? Intention is that repository contains pre-packaged assertions but not necessarily signed? Two types of repositories: established trust connection doesn't require signature or untrusted repository that contains signed assertions. Repository is independent of asserting authority. Attribute repository stores assertions. Not like a user database. Can be an LDAP repository? Repository is raw data? Call it Attribute Assertion Repository? Change Attribute Certificate definition to "One type of Attribute Assertion" instead of "Attribute Token"? Are tokens always signed? Attribute Token defined in the document. Authentication Credential: Certificate is different from a credential. Credential includes private component. Credentials are never surrendered but rather used. How does this relate to WS-Security and Java terminology? WS-Security defines Tokens and Java has credentials. Should we indicate the documents that glossary is based on? Documents refer to the glossary. The meaning of Credentials and Tokens are different in other contexts. Kerberos ticket can be a credential. What is difference between a credential and token or private key? Must prove possession of credentials. Use a credential to create an authentication token? Entity you authenticate to gives it to you. Issuing a token that may be rejected is not an action of authorization. Rejected because relying party doesn't trust issuer or token is invalid. Authorization is a fuzzy term, reflected in the definition. Is enforcement included in authorization? No. Disagreement with Authorization definition being issuing of token. It is a claim of authority but not an authorization. Authorization is a broad topic not encompassed by this definition? Difficult to define Authorization in one sentence. Need to elaborate on this definition? Use larger definition from framework document? Authorization is the act of authorizing. Use AuthZ attributes and policy to explain. For Authorization Algorithm, reference Authorization Information. What is difference between authz attribute and privilege? Attribute privilege? Privilege attribute? Would be useful to create links between terms in the document. Make sure we use the same terms as in OGSA AuthZ document. OGSA document has contextual information versus authz context here. Context associated with specific transaction. Also SAML for OGSA AuthZ. Can AuthZ Decision be 50 Mbps versus always a yes/no answer? Decision is yes/no/maybe. Use maybe if constraints? Need to clarify AuthZ Decision definition. Refer to use in XACML and SAML. Should include indeterminate response? Spell out what Authorization Information includes in definition. Reference RFCs in AuthZ Push/Pull Sequence definitions. For AuthZ Request, what do you mean by authorized entities? Do you mean authenticated entities? Authorized by whom? Authorized to get a yes/no answer. Not authorized to get details. Change to only authenticated requests from authorized entities are responded to. Include some description that you don't want to give information to unauthorized entities. Authenticated entities or authenticated requests? Authorization Subject often called Requestor? Add to defn? No. Causes confusion. What about third party making request? Ref RFCs for Certification Authority defn. Mention that CA establishes trust. Does Domain include users? Yes. User's home domain. You're not part of your house. Delegation Attribute doesn't necessarily assert rights held by issuer? Replace issuer with delegator? Change issuer to "issuer of the attribute." Subject doesn't have to be a person. Can be a resource or a process. If I have an X.509 attribute certificate, how can I delegate it? 1. Create another certificate and sign it with your own key. 2. Give it to an authority? Question is out of scope. Discuss after session. Environmental Authority is not well understood? How does ID token differ from authentication token? Use authentication tokens for different roles? Derived from ID token? ID token may be X.509 certificate. Authentication token result of passing ID token to authentication process, like SAML authentication assertions? Example: government-issued passport Policy research group in GGF architecture area should review this glossary. In XACML, Policy Statement would be a Rule? Statement is collection of rules? How do rights and privileges differ? X.509 ITU defines Source of Authority. Please send additional comments on this document to the mailing list. Can we finish this glossary on the mailing list? Shouldn't need to meet again unless there are problems with the documents. Meeting adjourned. ----------------------------------------------------------- Additional notes from Andrew McNab: ML=Markus Lorch; DS=Dane Skow; CdL=Cees de Laat; MT=Mary Thompson; LG=Leon Gommans; DC=David Chadwick; Q=other question Glossary document discussion ---------------------------- ML: Few comments received on Glossary document. DS: Would be helpful if people send positive comments even if they've just read it. Q: Does WS-RF change anything in OGSA Attributes draft? ML: Not really. And we're not sure about referencing draft GGF docs (waiting for definitive answer.) ML: Currently about 90 terms in Glossary. Current list on Authz Framework doc. May need to add some from OGSA Authz documents. Q: What about other security work? ML: This is just Authz, but could be referenced by others. MT: Want to make sure Glossary is usable by OGSA Authz etc. Q: Someone needs to check all glossaries are consistent. ML: That's part of the reason for going through things today. Term by term discussion ----------------------- LG: PDP/PEP was defined in RFC ??? earlier than 2904. DC: ACEF is "typically application dependent". Add (also access control policy) DC: Property also used later on. So property = "Type and Value" to be consistent with subsequent use. Discussion about "Attribute Authority Domain" and whether it should be "Accepted." Acceptance vs Recognition; and about Attribute (Assertion) Repository. Discussion about Credential vs token. Private keys, proof of possession vs signatures that are actually disclosed. Q: Is enforcement included in Authorization? ML: No. (several others, updates in the glossary Word docuement) Future Plans ------------ ML: Continue with document on mailing list; and continue group only as long as needed to get documents formally submitted. General agreement.