OGSA Teleconference - 21 September 2006 ======================================= * Participants Jay Unger (IBM) Jem Treadwell (HP) Dave Snelling (Fujitsu) Alan Sill (TTU) Frank Siebenlist (ANL) Andreas Savva (Fujitsu) Mark Morgan (UVa) Duane Merrill (UVa) Tom Maguire (EMC) An Ly (CA) Hiro Kishimoto (Fujitsu) Chris Jordan (SDSC) Andrew Grimshaw (UVa) Donal Fellows (UoM) Abdeslem Djaoui (RL) Fred Brisard (CA) Mike Berhens (R2AD, LLC) Minutes: Andreas Savva * Summary of Actions AI-0921a: Andreas to ask Greg to setup a tracker for change requests to the OGF template document. AI-0921b: Security members to discuss the BoF proposal(s) further - For example, one outcome could be some standards activity to mirror CAOPS activities and tie-in to OGSA AI-0921c: Dave S (as Standards VP) to talk to the next Security AD (when one is selected) about the Security Area task list. AI-0921d: Dave S to collect additional material in order to identify security issues better. - (AI-0921e is an issue instance) AI-0921e: Alan S to provide material on the issues relating to path validation. AI-0921f: Dave S to ask Richard C to put the security topic on the agenda of the first Interoperability call and to also ask that the teleconference announcements be sent to the OGSA list AI-0921g: Hiro to add Alan Sill to the OGSA-WG list AI-0921h: Hiro to allocate a slot to review security work progress at a future call. Perhaps Oct 5. AI-0921i: Dave S to provide an agenda for the next security call. - Draft agenda items: - What needs to be done to achieve simple interop generally and to bootstrap more - Profile to get authentication information from a secure channel for authentication - Profile for other methods to get authentication informatin for authorization * September 7 teleconference minutes approved with no changes * Review of Action Items - AI-0912a: Hiro will be arranging the first call next Monday. (Close after Monday call.) - AI-0913a: Andreas to put issue in the EMS Scenarios tracker and close this action - AI-0913b: Pending. - AI-0913c: Andreas to put issue in the EMS Scenarios tracker and close this action - AI-0913d: Closed. - Done at GGF18. - AI-0913e: Andreas to put issue in the EMS Scenarios tracker and close this action - AI-0913f: Andreas to put issue in the EMS Scenarios tracker and close this action - AI-0913g: Pending. - AI-0914a: Pending. - Review all EMS Scenarios actions at the next document review. (No need to review every call.) - The next EMS Scenarios review call is not set yet. Andreas and Hiro will discuss it offline. - AI-0914b: Pending. - Discussion on the mission of the Security design team is part of this call. - AI-0914c: See AI-0914d. - AI-0914d: Closed. - Andrew has started working on new text for the Appendix. This AI belongs to the BES WG. - AI-0914e: Closed. - Andrew has initiated this activity. Richard Ciapala (MS) has taken over this activity. - AI-0914f: Pending - Proposal is Florida (Tampa or Orlando) the week before SC06. - Fred Brisard is inquiring about hotels in Tampa. He expects to have results (3-4 proposals) by next week. - Hiro will do the zoomerang after that - AI-0915a: Pending. - This was specific to experiences of people implementing BPEL and JSDL. - AI-0907a: Obsolete; Closed. - AI-0907b: Pending. - This has to be done before the Security profiles can go to final call. - AI-0907c: Pending. - AI-0907d: Pending on AI-0907b and AI-0907c - AI-0907e: Closed. - Already added to template. AI-0921a: Andreas to ask Greg to setup a tracker for change requests to the OGF template document. - AI-0907f: Closed. - The BaseFaults issues were discussed at the last F2F. - The minutes of this session were uploaded after the agenda of this call. There are an additional 4 actions (2 on BF). - AI-0831c: Closed. - Put in EMS Scenarios tracker. - AI-0831d: Closed - Put in EMS Scenarios tracker. - AI-0831e: Pending. - AI-0831f: Pending. - AI-0831g: Closed. - Andreas set up EMS Scenarios tracker. - AI-0831h: Closed - Mark sent the document out before GGF18. - AI-0828a: Closed. - Initial discussion clarified that this action is about annotating EPRs - Frank has looked into it. The recently released WS-Metadata Exchange specification shows (examples of) how this annotation can be done. The approach should be applicable here. - Initially this issue was specifically about adding porttype information but WS-MetadataExchange shows how any kind of information may be embedded. - (Dave S) There is non-normative text in the WS-Addressing Core specification (sec. 2.2, under endpoint Metadata extensibility) that refers to examples on how to include wsldLocation information. This is sufficient and there is no need to use the WS-MetadataExchange spec. - There were questions about the status of the WS-MetadataExchange specification. It is not in a standards body yet. It is covered by the recent MS open licence announcement. - Is this issue covered by the WSRF BP? Yes. - AI-0817a: Pending. - This was not not discussed at GGF18 or at the F2F. - There has not been much progress - Jay will talk with Dave Berry on how to proceed - Hiro will schedule this topic on a future call in 1-2 weeks time. - AI-0810a: Closed - Subsumed by AI-0913g - AI-0803e: Pending - AI-0803f: Pending - EGR-WG (Ravi) will contact Geoffrey Fox and invite him to contribute use cases. - Pending - Andreas to go through the minutes and formulate a reply mail to Geoffrey on each artifact covered in these minutes. - Pending - Steve McGough & Andreas to do a mapping from the current JSDL elements / terminology into the new information model structure (Proposed split into Description and Requirements) (from July 18th F2F, By GGF18 as original discussed.) - Done at the F2F. Closed. * GGF18 and F2F meeting discussion - Event went quite smoothly. - A good set of specs are coming to completion; felt like many things are finally getting done. There are lots of implementations (of BES, etc) including from MS. The interoperability activity was started and looking forward to the results. - There was no chance to cover some issues, like the relationship between OGSA Security work and other (OGF) security work. But this is on the agenda of this call. ** Minutes approval - Information Model Minutes (two) (Fred M)--approved with no changes - EGA Reference Model (one) (Andreas)--approved with no changes - EMS Scenarios (one) (Hiro)--approved with no changes - F2F minutes, Thursday (Michel D)--approved with no changes - F2F minutes, Friday 1. (Michel D)--approved with no changes 2. (Andreas)--approval postponed for next week because there was insufficient time to review them before the call. - All the material is believed to have been uploaded. Let the chairs/secretary know if anything is missing. * Security Profile review postponed * OGSA security Led by Dave Snelling. OGSA security work has produced two security profiles (Core and Secure Channel). Both are close to publication. One question is what should be the next work items of the design team. The HPC Profile interoperability work is probably facing an immediate problem since there is no profiled way to pass the required identity credentials for job submission. There is a gap in authentication---the OGSA security profiles only go as far as defining a secure channel. Therefore a short-term work proposal is to identify what the next minimal use cases are and to produce profiles to address them. The result could be a profile on how to do authentication. (There is no OGSA-AuthN group.) From a broader perspective there are a number of security groups (FI-RG, OGSA-AuthZ-WG, TC-RG) and a lot of good work has been done already. But it is not clear what the connections are. Alan Sill said that the CAOPS-WG has also been very active. CAOPS has been somewhat incorrectly categorized as operations; it does in fact also do design work and should have a connection to OGSA. (There are some worries that the practice of academic users may be getting decoupled from broader OGSA work.) The group was spawned by the Grid PMAs--which also formed IGTF. IGTF's purpose is authentication in a federated infrastructure. The CAOPS-WG was created to cover specific needs of educational organizations--bridging between organizations. It is not clear how this work links to the commercial world. (Commercial CAs are in the business of issuing server certs; EDUs for identity.) A main driver has been the federal government---driving use by requiring (path validation) by legislative means. - Peter Alterman @NIH Federal Bridge: runs commercial solution Is a lot of the work still around plain x.509 certificates? No, VOMS uses extended attribute certificates. - A higher level view is that x.509 certificates with SAML assertions seem to satisfy most requirements - It is not clear how industry views attribute extensions One issue is to identify what is needed for web (grid) services. A lot of existing (or pursued) approaches (CAS, Kerberos, etc) in other bodies are done without reference to specific Web services requirements. A number of different approaches for authentication were mentioned: - vanila x.509 - x.509 extensions - EPI based identity (UVA) - 'pure' SAML (identity is just another assertion) What is the current OGSA level? - Use of x509 certificates to establish a secure channel between client/server. There is mutual authentication between client and server. If a single CA is used for tests is it enough? And could it be extended later to support bridging? - The weak point is atribute extension and path validation; otherwise it works for the small case. - For the (small) base case it is sufficient to have copies of the base root certificates and be able to check whole chain (including checking all additions; so it is simpler not to allow additions). This setup is enough for basic interop but it is really functionality that has been available for the past 10 years. - Bridging is actually a lot more complicated. Another possibility for future work is to define a standardized path validation i/f that hides the operations behind, which are quite complex. - But this may be longer term work. It goes beyond current interoperability work. - Alan mentioned a number of people that might be worth including in such a discussion. - Frank proposed doing a BoF for such a path validation i/f and also proposed Alan Sill as a good person to lead it. For the Interoperability workshop one could arrange for an IGTF accredited CA; install it on both sides. (It has the advantage of also plugging in the federal infrastructure.) - It is not clear if such a setup would be acceptable to all participants. - It is not clear whether the use of the OGSA security profiles is going to be acceptable either. - Interoperability calls are being planned and this issue should be taken up there. - Richard Ciapala (richci 'at' microsoft.com) is organizing the interoperability work/calls. AI-0921b: Security members to discuss the BoF proposal(s) further - For example, one outcome could be some standards activity to mirror CAOPS activities and tie-in to OGSA AI-0921c: Dave S (as Standards VP) to talk to the next Security AD (when one is selected) about the Security Area task list. AI-0921d: Dave S to collect additional material in order to identify security issues better. - (AI-0921e is an issue instance) AI-0921e: Alan S to provide material on the issues relating to path validation. AI-0921f: Dave S to ask Richard C to put the security topic on the agenda of the first Interoperability call and to also ask that the teleconference announcements be sent to the OGSA list AI-0921g: Hiro to add Alan Sill to the OGSA-WG list AI-0921h: Hiro to allocate a slot to review security work progress at a future call. Perhaps Oct 5. AI-0921i: Dave S to provide an agenda for the next security call. - Draft agenda items: - What needs to be done to achieve simple interop generally and to bootstrap more - Profile to get authentication information from a secure channel for authentication - Profile for other methods to get authentication informatin for authorization