Telecon 2003-02-12, 11am - 11:50am EST


Participants
  • Leon Gommans
  • Rich Baker
  • Mary Thompson
  • Jay Alameda
  • Jim Basney
  • Lavanya Ramakrishnan
  • Krishna Sankar
  • Cees De Laat
  • Markus Lorch
  • Olle Mulmo (for the last quarter)

Notetaker: Jim

ummary from last week: We'd like to have an outline by the end of
this week for GGF discussion.

We've had good discussion lately on the group mailing list.
Krishna gave some thoughts on the AuthZ framework.
Mary gave an overview of XML AuthZ standards.
Leon also contributed comments about AuthZ frameworks.

Documents:
1. Authorization Glossary
2. Grid Authorization Requirements
3. Grid Authorization Framework

Markus gave a review of working group milestones.

We need to determine who is contributing to what sections of the documents.

Krishna proposes that we start with the framework (concepts, components, classes) and then work on how existing standards & systems apply to the framework. Leon agrees.

Leon will start writing something based on RFC2904.

Markus: We want to assist developers in determining what mechanisms to use.

Should we start on the glossary document or the framework document?

Mary: We need to define our focus on authorization. Other parts of security are out of scope.

Leon agrees: By identifying/defining the components, we can to focus on authorization.

Krishna: We must point of relationships with other security parts.

Are we focused on PDP/PEP or AAA server solutions? We need to define these terms. Do they imply pull or push models? Do we re-use terms defined by other groups or make up our own terms?

Leon: The high-level framework should not use terms that imply a specific solution.

Framework entities: User, decision-making entity, service-granting entity

Use RFC2904 terms? Markus thinks the ISO terms are more general than the RFC2904 terms.

Markus: We have a general outline:
  • introduction
  • overall framework for authorization
  • first talk about components of framework
  • now classify different framework classes / (function of system)
  • more detail on components
  • protocol and systems and how they relate to the framework

Krishna will send the outline with more details to the mailing list.

Process: Start working on the document and see how it falls out.


Mary: Is channel security within the scope of the Authorization topic?

Krishna: We need to talk about a trust model.

Trust is a prerequisite for exchanging authorization.

We want APIs independent of a specific trust model.

Mary: The trust model becomes embedded in the authorization model. What authorization tokens do you pass around?

Rich: Determining validity of the authorization token is outside the realm of authorization. It's authentication.

Mary: Authorization token is signed by authorization authority. That's where trust comes in.

Rich: Leverage existing, local authentication mechanisms. Determining if info is trusted is dependent on authentication.

Mary: If passing authz assertions around, there is no local
information. Need to trust the assertion.

Markus: X.509 certificates for authentication vs. SAML for authorization may be so different that verifying authorization tokens may require different mechanisms.

Rich: Assertion says A says X. Verifying the assertion is from A is an authentication issue. Authorization service determines if A can make that statement, i.e., verifies the statment, based on policy.

Markus: Need to talk about survey of authorization requirements. Is there interest in moving it forward now?
Yes, we need requirements before we can decide on the detailed contents of the framework doc.

Volunteer to create an outline for requirements document? NONE

Krishna: Need to watch relation to OGSA Security WG. Markus: After current documents are done, a future WG may take up this task. We want to make sure we don't have 2 AuthZ WGs with overlapping charters. The framework can be input into an OGSA AuthZ WG. The scope of this WG is broader than OGSA but focused on AuthZ.

Meeting adjourned. We'll meet again next week at the same time, and then meet again the week after that. Need to make progress over email between calls.

/public/users/mlorch/Grid-AuthZ/Telecon Minutes 2003-02-12 Login | Web Editor | Full Editor
Last modified 2/12/03 4:59 PM by mlorch (history)
Site contents