OGSA Teleconfererence - 21 November 2005 ======================================== * Participants Pete Ziu (Northrop Grumman) Von Welch (NCSA) Alan Sill (Texas Tech Univ.) Frank Siebenlist (ANL) Andreas Savva (Fujitsu) Takuya Mori (NEC) Mark Morgan (UVa) Tom Maguire (EMC) Fred Maciel (Hitachi) Hiro Kishimoto (Fujitsu Dave Berry (NeSC) Michael Behrens (R2AD, LLC) Apologies: Ellen Stokes Minutes: Andreas Savva, Alan Sill * November 16 minutes approved with no changes * OGSA AuthZ Joint Call ** Background Alan described OSG, EGEE and made mention of GridShib efforts, and the desire to support a more standards-based approach to attribute-based authorization. A strong desire exists both within the user communities and at the funding agency level, he believes, for a standards-based approach to authorization that can interoperate with and be complementary to the existing standards-based approach to CA operations being taken by the CAOps-WG and the PMA technical community. (cf. http://gridpma.org for the IGTF = International Grid Trust Federation and its member organizations.) He also noted that there is ongoing research and work being done to extend and supplement the "classic PKI" authentication profile, for example with the Short-Lived Credential Service (SLCS) profile being considered by TAG PMA (The Americas Grid PMA) and about to come up for voting there. ** Future directions (OGSA services, federated authentication) Frank said most important task is to come up with an improved authorization query interface. The present one is based on SAML 1.1 and lacks features needed to communicate easily such attributes as groups and roles. Version 2 of the OGSA AuthZ specification needs to define interfaces so such attributes can be communicated more easily. The hope is to leverage part of the work done in the OASIS XACML TC for the XACML 3.0 spec. (Frank is a member of the TC.) The TC has come to some agreement on how to proceed and is preparing to write up WSDL, etc. Ideally this could be used as is provided it fits the Grid requirements. At the last GGF, the two groups had separate face-to-face meetings at the same time, which interfered with progress. Alan noted that there was good attendance at the AuthZ GGF15 wrap-up meeting, nonetheless. Von Welch agreed with the above summary of priorities, but noted that there is a need for far more people and fresh blood. Alan added that he would like to see representation from at least 3 communities: the OSG Privilege Project authors, the LCG Joint Security Group, and members of the Shibboleth community who are interested in working in the direction of international standards. Hiro asked what would be required to use the XACML v3 query i/f with the OGSA WSRF BP. Frank and Tom agreed that the XACML i/f would be complementary to the BP and it should be possible to compose the two. There is no reason to have a WSRF-specific XACML i/f. Hiro asked whether standardizing on the schema or alternatively on a language for defining attribute characteristics is preferable. Alan responded that from his point of view, the latter (an attribute language) is preferable, as schema can become outdated and attribute spaces are by their nature extensible, and that a possible reason for failure of previous AuthZ efforts might be due to attempts to overly specify the schema. (Since it is not possible to do an exhaustive definition of the attributes.) ** OGSA-AuthZ WG status update (specs) - Is there a plan to produce a new version of the Attributes specification? It is important for people who are implementing this specification to come forward and join the discussion. The WG has to see what is being adopted and what needs to be done before moving forward. Alan volunteered to take this discussion to VOMS and try to get people to join. - What is the status of the submitted AuthZ documents? The Attributes document completed its public comment period and was returned back to the authors for revision. There was some uncertainty on the call whether this document was pulled out of the process altogether or whether it was going to move forward after changing its type to Experimental. There was also an issue with making it WSRF based, or combinable with the OGSA WSRF profile. Von will check the status of this document. ** Next steps Hiro suggested to have another joint call in Dec.; it was set for the OGSA call on Dec. 19 (Mon.). Hiro also asked whether AuthZ WG members can attend the next OGSA F2F in Sunnyvale in January (week of 16). - It was pointed out that the AuthZ specific discussion is likely to be occupy a very small slot (1-2 hours) during the 5 day meeting. - Frank will attend in person. - Von and Alan may join by phone if it is not possible to attend in-person. Agreed to advertise both the joint call and the F2F and try to get wider participation. * Profile Definition Review - Tom changed his Affiliation. - Consensus on the call not to add implementation status examples. - Agreed that the change from "In other words" to "For example" in the last sections and related changes in wording are appropriate. - Other minor wording changes. Tom will accept all changes, post a new draf and announce a final call to list, lasting to next week Wednesday. (This is to allow for people who may be on holiday this week.) Tom will also reply to comments on the public forum. * Security Profile - Secure Channel Review - Using version sent out by Hiro to the list. ** Tracker review (Numbers correspond to tracker artifacts) - 1657: added; close. - 1658: MLS is dropped; close. - 1659: No problem using SSL; close. - 1662: Checked that there are no significant changes that affect this profile; updated; fixed. - 1663: Updated to remove dependency; fixed. - 1685: Added secure channel definition: fixed - Does any part of this definition imply encryption? Yes, integrity does. - 1697: Revised the list but the explanatory text still needs work to make clearer what the profile is doing. It is ok to combine some of these items if it will make the explanation easier. - Takuya to draft some text and review with Andreas - 1698: Strictly speaking the features described in section 3.4 and section 4 are orthogonal to the rest of the profile. Tokens, and the key exchange mini-specification would apply to both TLS and MLS. - If this text is left here then the MLS profile would have to depend on this profile; or worse, duplicate the same text. - Frank proposed that if these sections are needed in general then it might be worth deleting these sections from the Secure Channel Profiel and adding them to the WSRF Basic Profile. - Agreed, in principle, to remove the sections from this spec. and discuss how to make them apply to any profile. - Andreas proposed that these sections should be part of a Basic Security Profile and that Profile could then be combined with the WSRF BP or be referenced by the Channel profiles. The Claim URI mechanism defined in the WSRF BP allows multiple Security profiles to be composed with it so there would be no problem with this approach. - Hiro proposed that such a Basic Security Profile could also serve as an 'anonymous' channel profile (one that makes no statements on channel security) and could also solve the problem of having a separate, essentially empty, profile document with no security statements. - Andreas was tasked to write up the proposal for splitting up the Secure Channel Profile and send it to the list to collect feedback from stakeholders not on the call. * UML Tool Choice - No opposition on the list or the call for the Rational choice. - Agreed that there are a couple of things that need to be cleared up, and until that time the choice is still tentative. - Hiro to follow up with Ellen on the IBM liaison and with the GGF Office and make sure that we can use the tool for GGF work. - Mike proposed that CDs should be made available at the next F2F. * OGSA 1.5 review - Postponed due to lack of time. * Next call - OGSA 1.5 review - Basic security profile discussion