23 Sept September 2004: OGSA Authorization WG: GGF12 ==================================================== Von Welch in the chair. Andrew McNab taking notes. Von: Intro. Agenda discussion. Proposal for path forward (see slides for some more details) ------------------------- Put SAML Authz Interface document into WG last call? (It represents GT3 and PERMIS implementations.) David C raised some more queries about recipient field being insufficient to stop replay attacks: remove it? No implementations use it. Von: two action items? Think about implications of this, and check if any implementations use it. Von: So we resolve this and then proceed with SAML Authz Int to last call? Consider features for v2 of this. WSRF appendix including GT4 way of capturing EPRs? Obligations? (see below) Parameters? (No just method and resource, but also things like per-row authz decisions in database searches.) David C: yes, would be nice to stop v1 and make a break otherwise it will go on and on. (PERMIS already does allow parameter passing.) No objections. Von: Attribute document? Need to resolve issue around "MUST have lifetime" Otherwise ready for WG last call. Also need to sort out issue on email. David C: will ask about change to MUST in X.509 at next meeting, and try to find rationale. No objections. Obligations discussion ---------------------- Von: David C and Markus L have differing options on this. Markus not able to be present. Von will present Markus' slides. David C presented his own slides first. (See slides.) Leon G offered to look at IETF ?COPS? in this context. David C: Imperial College are intending to implement Obligations in Web Services in the next year. Von presented Markus' slides. (See slides.) David C: Markus' and the PONDER view of what an obligation actually is differ significantly. We need to decide what we want out of obligations. Worried by statement about mismatch between policy and request. Can just represent it in policy already. Andrew M: danger with that is makes policy very verbose (eg if have to have one section of UID, GID, / etc for each of 30,000 users.) Von: Markus' point is that need more than Yes/No from PDP. David C: SAML "advice" already allows provides mechanism for this? Leon G: much of this already discussed in IETF ?COPS? with use cases. Von: enough interest in this for a v2? continue discussing this? see where Markus' implementation leads? (David C: parameter passing is more pressing from out perspective.) Dane S: we have use case with chain of PDPs where may need "blind" decisions where information held by some PDPs can't be disclosed through published policies or requirements. Need this for privacy protection. Von: get some use cases so we can discuss it more. Olle M: might be better to use something based on existing software rather than being "architecturally correct." Meeting closed.