OGSA Teleconference - 9 April 2007 - Security ============================================= * Participants Andrew Grimshaw (UVA) Chris Kantarjiev (Oracle) Nate Klingenstein (Internet2) Fred Maciel (Hitachi) Duane Merrill (UVA) Mark Morgan (UVA) Andreas Savva (Fujitsu) Alan Sill (TTU) ZackK Minutes: Alan Sill (minor changes: Andreas Savva) * Summary of New Actions AI-0409a: Duane will produce a next version of the use case documents; prioritizing the use cases, including pointing out which ones cannot be addressed with the state of the art AI-0409b: Liberty spec statements on EPRs (compatibility or intent vs OGSA BSP) should be checked; are these true and is there some difference in interpretation that is unresolvable? - Duane will do an initial review to be discussed on the April 23 teleconference AI-0409c: Strawman version of Express Profile (currently called "Recommendations for OGSA SOAP Usage") should be complete by OGF-20 (Andrew). - Document should be put into GridForge (Duane, Mark). * Previous Action Item review ** AI-0315a: Andrew et al to develop Express Authentication Profile, HPC Profile (Andrew to talk to them), Frank (review), Michel Drescher (Unicore), (Steve McGough) GridSam, Marty Humphrey and Frank Siebenlist have agreed to look at the respective profiles as above. Michel Drescher has agreed to contact people in the UK and Unicore folks. This action item is still open and other use cases are still recruited. ** AI-0315b: Andrew to contact GIN (Erwin Laurie) about existing (delegation free) use cases. In progress. The intent of the use case document to be discussed on this call is to then solicit further feedback from Erwin, etc. * Use case review. UVA team will post a use case document. Andrew reviewed results of F2F meeting in California, which were that the profile development was considered to be a good idea, but that use cases should come first; therefore a set of use cases as partially discussed above are being recruited. The UVA use case summary document was presented. This document attempts to cover the characteristics of scenarios that have emerged from different considerations. The focus here is on scenarios that may be critical, with an attempt to abstract general characteristics that may be considered fundamental. In addition, rather than being a laundry list of technologies related to authentication, authorization and security, there is a desire to focus on summarizing methods that have particular relevance to application in grid architectures. Nate asked whether these are use cases for development or for documenting patterns of use in the community. Andrew responded that the latter was the goal, and in particular they have attempted to abstract the general characteristics of these use cases. He gave the example of staging a job via a BES container, desiring to transmit credentials for this purpose. Talking to a broker on behalf of the user may be a particular use case; it may be the case that multiple credentials will be required, and this flow should be documented to understand the characteristics of the use case. Alan commented that the existence of control points in the authentication and authorization flow is important to many virtual organizations, or more generally to the case in which the use of grids crosses organizational boundaries. Advertising of identity in EPRs and the communication patterns associated with them is another example of the generalizations sought in this document, according to Duane. These scenarios would suggest mechanisms for the use of identity, but are not intended to specify them at this stage. Nate and Alan discussed IdP's in Shibboleth, VOMS, etc. The example in which Shibboleth signed assertions using SAML can be used to communicate identity verification for association of an individual with a university was discussed, along with that of X.509-based extended attribute certificates as used now by virtual organization VOMS servers. Andrew mentioned the need for a service to be able to advertise the options that it supports. Alan wanted this to be extended to be able to allow the service to verify the identity of any attribute providers along the chain. Nate mentioned the Liberty Alliance EPR approach, which appears to be incompatible with the OGSA-WG approach up to now. Duane and Andrew have looked at this, and conclude that the EPR usage appears to be for different purposes between the two examples; it is not clear that the Liberty one is WS-Naming compliant, for example. Andrew summarized the above by saying that the listed abstractions should be prioritized and sorted according to importance and practicality (the delegation and multiple-provider problems may not be solvable immediately, for example, using existing specs, so the document should take this into account). The comments about applicability to and particular needs of grid usage should be sharpened, taking into account the comments above, and then the document should be compared back against the original use cases from which they were derived. Nate commented that there is essentially no installed user base for Liberty at present, so this may not be an issue. Andrew and Nate will communicate about this. Nate asked whether a strawman version of the Express Profile will be available at OGF-20. Andrew replied that this is a goal, and the topic will be taken up then. AI-0409a: Duane will produce a next version of the use case documents; prioritizing the use cases, including pointing out which ones cannot be addressed with the state of the art AI-0409b: Liberty spec statements on EPRs (compatibility or intent vs OGSA BSP) should be checked; are these true and is there some difference in interpretation that is unresolvable? - Duane will do an initial review to be discussed on the April 23 teleconference AI-0409c: Strawman version of Express Profile (currently called "Recommendations for OGSA SOAP Usage") should be complete by OGF-20 (Andrew). - Document should be put into GridForge (Duane, Mark).