OGSA-SEC WG meeting at GGF6 10 October 2002 Chairs: Marty Humphrey, Raj Nagaratnam These notes: Brian Carpenter Agenda: Charter & methodology Status on Web Services Security Discuss the existing drafts Next steps Marty: Pre-GGF5, 2 documents were submitted too late to form WG - hence held miniBOF at GGF5, with consensus to form this WG. At that time the two drafts were briefly presented. Charter- address security requirements in OGSA context, leverage Web Services Security. Outcomes- Primary: two docs, architecture & roadmap Secondary: new WGs to address gaps Work with OASIS and other orgs as appropriate. Methodoloogy establish requirements do existing docs satisfy them? what components are needed? any specs not listed? what's being done outside GGF? which boxes need to be filled in? Raj: What's going on elsewhere (partial list): WS-Security OASIS-TC formed; aggressive timeline SAML, XrML, Kerberos, X.509 profiles Policy expressions WS-Quality of Protection (discussion in OASIS) WS-Policy - no spec yet. Federation work Liberty, Passport WS-Federation - no spec yet Trust, Secure conversation (no specs yet) OGSA-SEC WG's position on ongoing work: Existing documents reflect requirements & component architecture. There are unique problems in Grid space that need to be identified, to define extensions or modifications to existing work. Q: do we place requirements on other bodies? if so how? A: OGSA-SEC is not chartered to define standards. If they are needed, this will be done by triggering GGF standards work or laying requirements elsewhere. Raj reviews the components and building blocks diagrams from the roadmap draft. Q: Have you done a threat analysis? What is different? A: Probably has to be done block by block. Brian Carpenter: Threat model is probably standard but solutions have to take account of VO scenarios. The roadmap lists proposed specs that have to be identified or developed in various areas: naming, domain translations, authentication, pluggable session security, pluggable authorization service, policy, delegation, firewall-friendliness, policy exchange, audit & logging. Goal is two documents to reflect requirements, architecture & roadmap. Plan is to use bugzilla for change management. But discussion remains on the mailing list. Bugzilla instructions will be sent to the mailing list. Target date for agreed roadmap is GGF8. Steps- identify topics of immediate interest relate topics to identified specs in the roadmap need proposals & chairs for proposed specific WGs proposals are invited by the chairs Discussion: how to get started? Chairs are looking for a bottom up approach. Proposals for WGs should go to the Security ADs (Marty Humphrey & Steve Tuecke). OGSA-SEC is consulted, but process passes formally through the ADs. Raj invites discussions of possible proposals. Brian Carpenter mentions a probable requirement for a generic abstraction for inter-domain security assertions between multiple independent physical organizations within a VO. Q: why not just SAML? A: Olle Mulmo has suggested at least one requirement (N:M mappings) that SAML doesn't currently support. Other issues: Can we use X.509 certificates exclusively for identities and authzn services? Why wouldn't OGSA-SEC rely on the generic GGF Authzn WG? Same for identity?