OGSA Teleconference - 18 June 2007 - Security
=============================================

Attendees:

Mark Morgan (UVa)
Duane Merrill (UVa)
Blair Dillaway (Microsoft)
Steven Newhouse (Microsoft)
David Chadwick (Kent U)
Chris Kantarjiev (Oracle)
Hiro Kishimoto (Fujitsu)
ZackK

Minutes: Duane Merrill

Agenda Items:

- Present the transition of these documents to target the
  WS-SecurityPolicy grammar (Duane Merrill)
- Address any relevant trackers (Duane Merrill)

Duane gave an overview of the transition from a Liberty-like security
policy assertion mechanism for EPRs to a WS-SecurityPolicy based
scheme.  Ran through an example contained in all three profile
documents that addresses components from each (Addressing, Transport,
SOAP messaging).

Discussion on whether or not to consolidate profile documents into one
document.  Pros: less "pointer chasing" to read.  Cons: what to do
about partial compliance, how to effect partial derivation for
as-yet-to-be-created subprofiles, monolithic document paradigm
inviting more policy-related complexity (such as AuthZ requirements).
General consensus is to keep orthogonal ERP security profiling
separate, lightweight.

Discussion (spurred by comments from Frank, David, I believe) about
adding/profiling mechanism for expressing AuthZ policy requirements
(beyond simple credential/token-type statements), such as "You must be
able to present a SAML token asserting your membership in group XYZ".
While useful, consensus was that this type of profiling for EPR authZ
policy should go into a separate profile for which separate
conformance claims can be made.

Because the documents were published earlier that afternoon, Duane
recommended to the group that everyone review them and followup with
discussion on the OGSAWG mailing list.