Report of OGF21 Meeting, Seattle, 15-19 October 2007
Author: David Chadwick, University of Kent
The author attended a number of working group meetings as described below. Another
important benefit of attending this particular OGF meeting was to have face to face
discussions with Valerio Venturi of INFN, Italy, who is the main developer of the current
VOMS software. The author has two UK JISC funded projects, VPMan and Shintau,
which will require PERMIS to interwork with the VOMS SAML attribute issuing service
that is currently being developed by INFN. At the face to face meeting we discussed in
detail how the protocol should be finalised so as to ensure seamless interworking between
the two systems. This face to face meeting will lead to new input into the draft OGSAAuthz specification that Valerio has recently written.
Monday 15 October
OGSA-Authz WG meeting
The author chaired this meeting which was well attended. Prior to the meeting the ADs
had discussed with the author about closing the WG down in the near future, due to the
lack of participation by WG members. As it turned out, this was one of the most
productive WG meetings that we have had during the last 18 months. There was plenty of
support from the attendees in keeping the WG going, especially from OMII-Europe.
There are several reasons for the lack of support during the last year or two, such as the
working group was ahead of user requirements and demand, or researchers did not have
any funding to work in this area. This is perhaps changing now that grid usage is
increasing, and the scalability limits of existing systems, such as grid mapfiles, is
becoming increasingly apparent.
The author presented the latest developments in the two existing authz protocol profile
specifications (client-PDP and client-CVS), and Valerio presented the first draft of the
third and final protocol profile specification (client-CIS)(Credential Issuing Service) that
is needed to allow a full set of interactions between the PDP, PEP, CVS and CIS of an
authorisation infrastructure. This third profile specifies how to use SAML for retrieving
the credentials (signed attribute assertions) of a grid user from a CIS (or Attribute
Authority).
Valerio also presented the latest developments with their prototype implementation of a
CIS, which researchers at Kent have already been experimenting with it in order to
integrate VOMS with their PERMIS authorisation system.
The author presented the latest developments in the VPMan and Shintau projects, and
gave an overview of the conceptual model for aggregating attributes from multiple IdPs.
The meeting concluded by agreeing that the publication of the three protocol profiles
should be treated as a matter of urgency, so that they can be reviewed and published for
use by the wider community.
Security Area Meeting
Mike Jones, director of Identity Partnerships at Microsoft, spoke about CardSpace and its
likely evolution. He also provided a demonstration of the current system. CardSpace is
bundled with MS Vista and a plugin for MS XP can also be obtained. MS have agreed to
cooperate with OpenID to ensure interworking between the two systems in a future
release. This may eventually have a significant impact on grid systems, but in the
medium term it is more likely to effect campus networks and Shibboleth systems.
The meeting concluded with a quick overview of the security work that will be covered
during the remainder of the OGF21 meeting.
Tuesday 16 October
CAOPS WG Meeting
The meeting discussed the Grid Certificate Profile which has just finished its public
comment period. A new version of the document should be available by Nov 6 that will
address all the comments received. We also discussed the Audit document which
describes a general framework for auditing CAs to ensure that they behave as expected.
The meeting then spent some time discussing the name constraints that Relying Parties
might wish to place on certificate path processing procedures. The current proposal has
wildcards in the specification which is a way of specifying DIT subtrees. The author
pointed out that the X.509 and X.501 specifications already had ways of defining general
subtrees which did not include wildcards, and he forwarded the relevant text to the list.
The final topic on the agenda was the use of OCSP servers. It seems like the requirement
for OCSP is dwindling as most RPs seem to be happy with CRLs or short lived
certificates. The author mentioned the recent WebDAV scheme they have implemented
which uses Web servers and state based URLs in certificates to provide instant revocation
notification and low processing overheads.
Wednesday 17 October
CAOPS WG Meeting
This meeting discussed the current work of the International Grid Trust Federation, and
how it is evolving and continually growing. New CA members have recently been added
e.g. Rumania, and other countries e.g. Taiwan are likely to be added very soon.
David Kelsey gave a presentation about trust in authorisation, and said that it was now
time to start looking at validating the trustworthiness of VOMS servers that issue
authorisation credentials, since today people are still wrongly thinking that trust in a CA
is sufficient to mean that an AA is trustworthy. The author found this to be a refreshing
breakthrough in that people are now finally beginning to realise that trust in authorisation
is a completely separate layer to trust in authentication, and that it needs to be managed
just as rigorously and carefully as trust in CAs. Furthermore technical measures are
needed for enforcing this trust in just the same way as technical measures are needed to
enforce the trust in CAs. Fortunately this is something that the author has been working
on for many years, and consequently his group have already built trust enforcing
mechanisms into the PERMIS authorisation infrastructure.
Thursday 18 October
GridNet 2 Worshop
At this workshop each UK participant described the work that they were doing as a result
of GridNet2 funding. The author described his work within the Authz WG over the last 4
years.
LOA Research Group
Mike Jones from Manchester presented the results of the Level of
Assurance/Authentication (LOA) survey that they had recently carried out. This showed
that most respondents regarded LOA as an important or essential requirement in
federated environments, and that tools to support this should be made available to the
community. The utility of the LOA has already been effectively demonstrated in projects
such as FAME-PERMIS, run by Manchester University. In a new FW7 Integrated
Project, due to start on 1 January 2008, the author will be developing tools to enable SPs
and IdPs to compute the LOAs of authentication sessions, so that they can be utilised in
authorisation decision making.
Express Authentication Profile
Duane presented the latest developments in specifying an SP’s policies for authentication
and message encryption. The author raised the issue that authorisation still was not being
covered, and that this was equally important in order for a client to be able to establish a
successful session. The area director Blair Dillaway agreed, and further stated that the
current drafts were worrying in that they strongly coupled the policy specification to the
transport mechanism via EPRs. He suggested that these should be de-coupled, and the
document authors appeared to agree to this (as does the current author), so hopefully the
next drafts will do this, as well as indicate how authorisation policies can also be added.
Overall Comment
The level of attendance at OGF meetings is falling. Perhaps this reflects the lower
importance researchers are placing on the production of grid specific standards and
profiles, or perhaps on the slow pace at which the OGF standards are produced. Either
way, it is a cause for some concern, and one should start to question whether attending
these meetings is a cost effective use of our time and resources. Perhaps other standards
forums such as IETF, Liberty Alliance and OASIS might be more productive.