OGSA Teleconference - Security - 26 February 2007
=================================================

* Participants

  Andrew Grimshaw (UVA)
  Chris Kantarjiev (Oracle)
  Hiro Kishimoto (Fujitsu)
  Nate Klingenstein (Internet2)
  Fred Maciel (Hitachi)
  Mark Morgan  (UVA)
  Andreas Savva (Fujitsu)
  Alan Sill (TTU)
  Dave Snelling (Fujitsu)

  Minutes: Andreas Savva

* Approved OGF19 security session minutes with no changes
* Approved Feb.15 security teleconference minutes with no changes

* Alan asked if is there agreement with David Groep's mail on how to
  move forward for the proposed AuthN-WG
  - Some people had not seen this email; it was forwarded to the list
  - [The discussion did not return to this point.]
  
* Andrew showed another email [not forwarded to the list] and
  discussed the references mentioned. The proposal is for a short-term
  authentication profile based on existing work that does not conflict
  with longer term AuthN-WG work; it would (eventually) inform the
  AuthN-WG.

* There was a general discussion on the merits of different
  specifications; the current usage (e.g., usage of SAML seems to be
  confined to authorization and not much for authentication);
  etc. There is substantial practice but standardization is lagging
  behind.
  - It indicates the need for a community practice document, as
    mentioned in the proposed AuthN-WG charter.

* Is there room in the proposed AuthN-WG charter for a short profile
  that can be completed before the community practice document?
  - Such a profile should be ready in a timeframe shorter than what a
    typical WG would need; perhaps shorter than 6 months.
  - It should address environments that do not support tls-only
    authentication, so
     - x.509 certificates (possibly decorated); but
     - not proxy certificates because they introduce the problem of
       delegation, which is too much to take on at this point
  - Tentatively agreed that such a profile would be acceptable if the
    main focus was on documenting current practice. There was
    disagreement on which WG should take on this short term work.

* Discussed the role of AuthN in OGSA. One part is what technologies
  to recommend (WS-Security); the other part is the division of work
  between OGSA-WG and AuthN-WG. Agreed that

** OGSA-WG security team will do a short-term authentication profile
  - GSI formalization (minus proxy certificates to avoid the
    delegation problem)
  - vanila x.509 certificates
  - kerberos

** OGSA-WG security team will work on a formal statement on the role
   of WS-Security and how it relates to OGSA work

** OGSA-AuthN-WG will work to clarify charter and deliverables
   - Dave Snelling volunteered to help draft the AuthN charter

* A security session will be arranged at the March OGSA F2F; Thursday
  afternoon