AuthZ WG Home Documents: Framework Glossary Requirements Archive: GGF8 Minutes GGF8 Agenda Telco 2003-06-03 Telco 2003-05-27 Telco 2003-05-20 GGF7 #1 - GGF7 #2 GGF7 Agenda Telco 2003-02-26 Telco 2003-02-19 Telco 2003-02-12 Telco 2003-02-07 BOF Agenda BOF Minutes BOF Handout Related Efforts Current users: guest (web) guest (web) guest (web) |
Telecon 2003-02-19, 11am - 11:40am ESTNotes by Jim Basney and Jay Alameda Attending:
Agenda: 1. Discuss terminology 2. Discuss scenarios / models
Leon proposed terms in his draft document. Drawback: Yet another set of new terms. Mary: Can we use regular words instead of defining specialized terminology up front? Leon: Let's agree on concepts first and then find the right terms. Entities are AuthZ requester, service provider, and authorization authority. Handler manipulates authorization. Can combine AuthZ function & service function or separate them. Cees: We're discussing the terms of reference document. We should keep the terms in agreement with IETF as much as possible. Leon: Is AAA server IETF specific? Markus: Reusing terms is a good thing. Andrew: User Home Organization is a problematic term. Leon's terms were good. Leon: Specific terms come in when we focus on implementation. Markus: Do we need new terms for the high-level abstraction? Makes the document hard to read. Mary: Use "requester" instead of ASH, for example. Avoid acronyms. Cees: Can someone provide a list of IETF terms for discussion? Dane already seeded glossary with IETF (RFC 2904) terms. Cees: Also look at CIM model. Mary: Also PKIX. Is AA = Attribute Authority or Authorization Authority? Leon: Need to keep distinction between concepts and implementation. Mary: Replace "handler" with service, provider, client, etc. Have stakeholder and authorization server/service. Leon: There are both single organization/domain cases and roaming cases that we need to allow. Mary: Is single domain case a Grid case? Dane: Some commercial entities will want to use Grid tools in a single domain. Mary: It's the AS vs. ASH separation that doesn't make sense. Separating AuthZ authority from AuthZ enforcement point makes sense. User has a security context. Could use that term. Or environment. Cees: Policy working group has produced RFC 3918. (See mailing list post.) Leon: Let's continue working on terms on the mailing list. Markus: Not sure Attribute Authority and Authorization Handler conflict. Attribute certificate is an implementation-specific detail. Leon: AA as a term should go to avoid confusion between Attribute Authority and AuthZ Authority. Mary: That seems confusing. Dane: Authorizations are a subset of attributes. Markus is correct. Mary: Difference between authorization assertion and attributes. Attributes are associated with a person. Authorization is associated with a resource. Cees: Authorization may be a user that says you may impersonate me. There can be different mechanisms to enable authorization. Attribute certificates are only one mechanism. We need to be careful. Mary: Need a term for assertion that gives a user a right to a resource. Capability is not exactly right for this. Markus: Let's continue on the mailing list.
Leon has proposed push, pull, and agent models. They can also be mixed. Let's start out with them and see if they don't fit in the future. SAML document also tries to classify approaches (pull and push models). One scenario: Go to service which tells you what AuthZs you need. Is this part of service advertisement or part of AuthZ sequence? Granularity makes the difference here. Could turn these into a series of diagrams with the three components. Retrieval of AuthZ credentials may be a multi-step negotiation process. It's not always a question of simple service advertisement.
Cees: AAA Research group terminology document also forwarded to the list. Markus: What are the next steps? Discuss terminology on the mailing list. Meet again next Wednesday. |
| /public/users/mlorch/Grid-AuthZ/Telecon Minutes 2003-02-19 | Login | Web Editor | Full Editor |
| Last modified 2/19/03 1:40 PM by mlorch (history) Site contents | |