Minutes of OGSA Security discussion 2007-04-23
==============================================

Attendees:
  Andrew Grimshaw (UVA)
  Andreas Savva (Fujitsu)
  Hiro Kishimoto (Fujitsu)
  Alan Sill (TTU)
  Mark Morgan (UVA)
  Duane Merrill (UVA)
  Fred Maciel (Hitachi)
  ZKert

  Minutes: Alan Sill
   (Minor formatting changes: Andreas Savva)

* Agenda bashing:

  OGSA primer was discussed.  This is on the agenda for the second
  half in the Logistics session, so we will leave it there for now.

Agenda stays as follows:

> 1) Early discussion (10 min)
>          Social study notification
>          - https://forge.gridforum.org/sf/go/wiki1717
>          Note taker assignment
>          Roll call
>          Agenda bashing
> 
> 2) OGSA Security (50 min, Andrew Grimshaw and Alan Sill)
> 
> ** Minutes approval:
>    - Feb. 26: https://forge.gridforum.org/sf/go/doc14256
>    - Mar. 8: https://forge.gridforum.org/sf/go/doc14291
>    - Mar F2F: https://forge.gridforum.org/sf/go/doc14328
>    - Apr. 9: https://forge.gridforum.org/sf/go/doc14395
> 

Approved with no changes


> ** Action Item Review
>      http://forge.ogf.org/short/ogsa-wg/actionitems
> 
>          *  AI-0315a: Andrew et al to develop Express Authentication
>                       Profile, HPC Profile (Andrew to talk to them),
>                       Frank (review), Michel Drescher (Unicore),
>                       (Steve McGough) GridSam,
> 

Defer to OGF 20.

>          * AI-0315b: Andrew to contact GIN (Erwin Laurie) about
>                      existing (delegation free) use cases.
> 

E-mail sent to Erwin regarding information we want from GIN.  No
response received yet, but only a couple of days have elapsed.

>          * AI-0409a: Duane will produce a next version of the use
>                      case documents; prioritizing the use cases,
>                      including pointing out which ones cannot be
>                      addressed with the state of the art

Not done yet.

>          * AI-0409b: Liberty spec statements on EPRs (compatibility
>                      or intent vs OGSA BSP) should be checked; are
>                      these true and is there some difference in
>                      interpretation that is unresolvable? - Duane will
>                      do an initial review to be discussed on the April
>                      23 teleconference

No incompatibilities found yet, but it is not clear that these
directly relate.

>          * AI-0409c: Strawman version of Express Profile (currently
>                      called "Recommendations for OGSA SOAP Usage")
>                      should be complete by OGF-20 (Andrew). - Document
>                      should be put into GridForge (Duane, Mark).
> 

Intent is to have it ready by OGF-20 Manchester.  Timing is bad as
this is the end of the semester in most US universities but it should
be ready in Gridforge.  Rename to get "Profile" into title?  For now,
work with "OGSA SOAP Usage Lightweight Profile" or "OGSA SOAP Usage
Basic Profile?" Decision: Wait for content to be complete in order to
make this decision.  Make sure the titles are consistent with other
OGSA usage.

Discussion:

Comments received on Use Cases document and Strawman (whatever we call
it) have been useful so far.  Still some uncertainty about how to
handle delegation.  Example of staging in and out via BES container
was given.  In JSDL current version, you can have file staging
operations to copy files in and out.  BES containers essentially
execute JSDL. With TLS, can interact directly with BES container, but
not clear how to provide credentials to allow container to interact
with external file systems on behalf of the user.  What about brokers?

Alan asked about relation of this to present GSI delegation methods.
Andrew replied that there are several ways of doing this more
generally, and it might be good to put out examples of the various
ways for discussion.  An important point is to allow client to
determine the requirements of the container or service so that it can
decide whether or not it can use the container or service.  For
example, a container may support only X.509 or alternatively might
have other access methods.  Some might support delegation, and others
may not.  Being able to allow the client to discover these
capabilities is essential and should be in the EPR, or possibly in an
out-of-band service that can be queried (e.g. parsing a WSDL, although
this is generally static and non-specific to the resource, so less
than ideal).  Performance impact can also be assessed at some future
date (e.g. by OGSA-AuthN).

Andrew hopes to finish both of the above documents in a further stage
of evolution by OGF-20.

Alan asked whether the steps needed to get OGSA-AuthN going could be
completed and clarified?  Main step is to obtain a co-chair for this
important work.  The "seven questions" for the group are in good shape
from the BOF effort, and further clarified by the above work, so we
need to proceed with this as soon as possible.  Alan asked for a
co-chair to be recruited if possible at OGF-20 so that the work laid
out for this group by the BOF,a nd subsequent discussion as above, can
begin.