GridNet2 Report Mike Jones, The University of Manchester This report covers the GridNet2 activities for Mike Jones, GridNet2 ID 126, for the OGF 21. Report of activities at OGF 21 – Seattle The main purposes of my attendance to this OGF was to participate in the LoA RG, and security sessions in general. Parallel sessions attended: ● Web 2.0 – Grids sessions ● OGSA­Authz (OGSA­AUTHZ­WG) ● Security Area Meeting ● Standard API for Data Grids (GFS­WG) ● Storage Resource Managers – practical experiences (GSM­WG) ● Grids and Server Virtualization ● CAOPS Session (CAOPS­WG) ● caGrid 1.0 Update on caGrid Infrastructure Project ● SAGA – Software Solution Session ● IGTF Session (CAOPS­WG) ● JSDL Working Session (JSDL­WG) ● Firewall Issues Research Group Meeting (FI­RG) ● LoA Session (LoA­RG) Due to session scheduling issues I was unable to attend the GIN sessions and the majority of the GridNet2 eScience sessions. OGSA­AUTHZ­WG: I (and RS) were designated note takers, notes available here: http://forge.ogf.org/sf/go/doc14890. In summary, the two existing specifications were reviewed, The XACML Profile which now has a good level of uptake by middleware vendors, and The WS Trust Profile. Two new specifications were proposed SAML Attribute Retrieval Profile to cover the query to VO's AAs for membership information retrieval, and The SAML VO Attribute Profile to cover the VO, Group and Role attributes. It was noted that the security documents were generally one step ahead of implementations, which was seen to be a good thing. However this causes a void in user community feedback blamed in part on the lack of research funding into this area. It was also observed that in general the security documents were now becoming too complex for general reading (This should be OK if every Application, Vendor, and Virtual Organisation have their own Security experts; this might in general not be the case). Security Area Meeting: Mike Jones (MS namesake) gave an interesting presentation on MS CardSpace – it seems to have a nice gui layer with back­end plugins into most authN/Z systems, there was a promise of open standards, and quite a few similarities with other projects in the same space, e.g. Shibboleth and Autograph. GSM­WG: This session was again a presentation oriented session rather than a dialogue with the community. That said there appear to be 5 interoperating SRM implementations: BeStMan, CASTOR, DPM, dCache and StoRM. CAOPS: Grid Certificate Profile has now passed through the public comments phase, the comments will be pushed to WG final call 06/11/07, and then onto the editorial committee. The current version of The Audit Guidelines document was presented, a synergy was noted between this document and the auditing processes for the TAGPMA. Name­spaces were discussed, the usual suspects raised their concerns (favourite topic) about X.509 DNs and SOAs. Globus (WS) to implement signing_policies at the beginning of 2008 [This was a surprise to me: that there are no signing_policy checks in GT4 WS – I may have missed the details but a quick search through GT4 Java code base reveals no signing_policy or EACL strings]. FI­RG: The main thrust of this session was the proposal of a group to take forward the idea of a web­service authorisation framework for the dynamic opening of ports. Both Myself and RHJ noted that there were similarities between current SAML call­out work from the authZ group that may have a natural synergy to this. LoA­RG. I presented the findings from the recent JISC funded ES­LoA project. These were well received as the foundations for the first document A gap analysis of current LoA definitions versus LoA requirements in e­Science/Grid context. I stressed that although the community at large seemed to identify LoA and risk based access control as a requirement, the community had responded in such a way as to suggest that the topic was not well understood; there is a chasm in understanding between grid and non­grid subscription based services. The second document from this group A risk analysis in relation to LoA and use case gathering in an e­Science context has yet to gain traction, the security modelling within eScience not being sufficient at this time to obtain a large enough pool of use­cases. All other groups attended were as a session tourist.