OGSI Security Working Group

Led by Marty Humphrey

New GGF IP rules were read

Agenda:
Two new documents:
GSSAPI profile (new from Siebenlist)
Use of SAML (new from Welch)
Mini-BOF from Krishna Sankar, Security Policy Expression & Exchange
What's Next

Q: What is the status of the older (Architecture/Roadmap) documents?
A: Will discuss in "What's next".

Siebenlist:  GSSAPI profile for WS-SecureConversation & WS-Trust
This document is being withdrawn temporarily because the
underlying WS standards are in flux, and we want to participate
in that process in Oasis (or equivalent).  Raj (co-author of
these documents) mentioned they were not yet formally submitted.

Welch: Use of SAML for OGSA Authorization
Strawman for a "pluggable Authorization Service" for OGSA.
(See slides.)  Questions raised by presentation:
Relationship between XACML and SAML (Chadwick reports
SAML v2 effort to address this).  PortType: in this document
or elsewhere?  Does OGSI WG want to address this?

"Process" questions then emerged.  Where does this document
work get done?  Is this the right group?  Is there a need
for both an XACML and this SAML profile, and does the charter
fit here?  There is also some overlap likely between this
group (or subgroups) and the Authorization (AUTHZ) WG.  WG creation 
is perceived as hard and expensive.

Q: Why wouldn't this work go to the AUTHZ WG?
A: (From Marcus) The AuthZ WG is about frameworks and mechanisms,
it's not a substitute for this work.  The AuthZ WG is gathering
requirements and these documents from OGSA are needed for that work
but we could not do them.

Comment: Original documents (referring to the Architecture and
Roadmap documents) staying as ongoing projects is wrong; need to be 
able to reference in community.  This is the main & only goal of this group 
(or is it).  If  there is critical mass, then spawn a new WG for it.

Raj: Suggesting a Snapshot (v1.0) of the two parent documents.

Krisha Sankar (CISCO) (See slides)
Security Policy Expression, Eschange & Processing WG mini BOF

Argument:
We don’t have a policy document congruent to OGSI
Should we start working on a “framework”?
Then discussed: 
    Security Model
    Core services 
    Security Policies for these services

Raj: How do we distinguish this proposal from the work of this Working group?

Frank Siebenlist:  How can we build such complex  systems with so many different
types of policy rules and mechanism?  Need a document that describes the process 
of evaluation: finding trust anchors, evaluationg the relationships, 
the authorizations , &c.

Discussion proceeded over scope of work, appropriateness to the group,
and future direction.
Action Item:  People interested in this work will contact Krishna
and discuss further.  Development of group or projects deferred to
fruits of this discussion and the mailing list.

What's Next
Marty Humphreys presented a slide showing 10 things that have changed
since last OGSA Sec meeting in Chicago.
What should this group do in the near future?
Are OGSA WG's looking to us for security?
This question was discussed but no method for resolving the shared
responsibility for OGSA security issues was found.

The group then discussed process and future directions, and two tracks
emerged: interoperability and plugability.   Do people have time
to commit to both policy and implementation work?  This discussion was
taken to the list -- new working groups and/or charter changes
in this group will probably result.

The Architecture / Roadmap  documents.
It was agreed these documents are valuable as-is, although there are
reference problems and standards correlation problems in them.
Action Item: The authors will edit the documents one more time and 
go for last call on a snapshot version at GGF 8.


Is there such a document?  If not need one to  od this.