Express Authentication Profile, OGSA F2F Minutes, 14 August 2007 Attendees --------- Duane Merrill Alan Sills Mark Morgan (minutes) David Snelling Ellen Stokes Michel Drescher Vesselin Novov Donal Fellows Steve McGough Andreas Savva Hiro Kishimoto Chris Kantarjiev Stephen Newhouse * Duane Presenting Slides - Why include wsa:Metadata section in digital signature -- Some things like WS-Naming put important pieces of information into the metadata section - How do you allow for endpoint migration if host certificate verification is required? -- You will probably want to use message level verification. - There is a distinction between host certificate and server certificate. -- Probably need to reword the slide "Secure Transport" to say this better. - Should we say something about trust provisioning? -- The document already says something about that. - Need to put an issue into the trackers to see if the use case of connecting to mobile containers (Dave Snelling) is satisfied by document. - Concern about size of certificates in EPRs and efficiency -- Don't think that it's a major problem -- Only relevant in results (one-offs), not in subsequent message headers. - For Mutually-Authenticated X.509 Policy, the two parts are signed collectively - Alan Sills is a little concerned about trust provisioning. * Next Steps in Document Process - Would like to move to a public comment phase. * How many WS-Policy engines are there and who is willing to implement? - Not aware of too many engines at the moment. - Users are always welcome to go off and implement EXACTLY the policy that they want to and therefor not have to implement a generic policy engine. - This profile is an OGSA Profile and OGSA profiles require interoperable implementations. - Do we bother with existing profiles or refocus on the new ones? * How many security topics do you have to understand to understand the documents that we are talking about. - There are 4 policies for transport, and 2 for message level. * Is this an OGSA profile - Yes - Hiro prefers that it is * Stephen is suggesting that we need to make a very clear case for the belief that there is a gap in this realm of security and that there is a clear need for *us* as an organization to address this gap. * Hiro suggests that secure-addressing is Basic Security Profile, the others are just security profiles. * secure addressing has extensions for digital signature in EPR, is this similar to what Takuya is doing - Takuya's profile does not provide for signing. - Just for putting in key/data, not signatures. * Some individuals think that we should be explicit about how we reference existing standards very heavily. * Demonstrating power of WS-Security without requiring that implementors implement ALL of WS-Security. * Important to advertise that we are a profile, not a spec. i.e., we are defining a new way of using existing specifications. * Conformance claim URI should be www.ogf..., not schemas.ogf.... * In secure addressing, 280, where you define the WSP:appliesTo URI, it isn't clear whether it is soapaction, or wsa:action. Duane to change to be explicitly wsa:action. * We believe that all the referenced specifications are stable (but maybe not policy attachment). Not sure about WS-Policy either. * We should make sure that all the conformance targets are used in the conformance claims. If they aren't used in conformance claims (i.e., if they are used just in the text), then we don't have to indicate them as a conformance claim. * How many eyes have raid these documents carefully. - Not enough. - We need to do a tight editorial pass over the document - Andreas volunteers. * Who should we pass this document to? * Stephen Newhouse to mail Erwin Lauren to take a look * David Snelling to take care of Unicore and GRIA