Report of OGF21 Meeting, Seattle, 15-19 October 2007 Author: David Chadwick, University of Kent The author attended a number of working group meetings as described below. Another important benefit of attending this particular OGF meeting was to have face to face discussions with Valerio Venturi of INFN, Italy, who is the main developer of the current VOMS software. The author has two UK JISC funded projects, VPMan and Shintau, which will require PERMIS to interwork with the VOMS SAML attribute issuing service that is currently being developed by INFN. At the face to face meeting we discussed in detail how the protocol should be finalised so as to ensure seamless interworking between the two systems. This face to face meeting will lead to new input into the draft OGSAAuthz specification that Valerio has recently written. Monday 15 October OGSA-Authz WG meeting The author chaired this meeting which was well attended. Prior to the meeting the ADs had discussed with the author about closing the WG down in the near future, due to the lack of participation by WG members. As it turned out, this was one of the most productive WG meetings that we have had during the last 18 months. There was plenty of support from the attendees in keeping the WG going, especially from OMII-Europe. There are several reasons for the lack of support during the last year or two, such as the working group was ahead of user requirements and demand, or researchers did not have any funding to work in this area. This is perhaps changing now that grid usage is increasing, and the scalability limits of existing systems, such as grid mapfiles, is becoming increasingly apparent. The author presented the latest developments in the two existing authz protocol profile specifications (client-PDP and client-CVS), and Valerio presented the first draft of the third and final protocol profile specification (client-CIS)(Credential Issuing Service) that is needed to allow a full set of interactions between the PDP, PEP, CVS and CIS of an authorisation infrastructure. This third profile specifies how to use SAML for retrieving the credentials (signed attribute assertions) of a grid user from a CIS (or Attribute Authority). Valerio also presented the latest developments with their prototype implementation of a CIS, which researchers at Kent have already been experimenting with it in order to integrate VOMS with their PERMIS authorisation system. The author presented the latest developments in the VPMan and Shintau projects, and gave an overview of the conceptual model for aggregating attributes from multiple IdPs. The meeting concluded by agreeing that the publication of the three protocol profiles should be treated as a matter of urgency, so that they can be reviewed and published for use by the wider community. Security Area Meeting Mike Jones, director of Identity Partnerships at Microsoft, spoke about CardSpace and its likely evolution. He also provided a demonstration of the current system. CardSpace is bundled with MS Vista and a plugin for MS XP can also be obtained. MS have agreed to cooperate with OpenID to ensure interworking between the two systems in a future release. This may eventually have a significant impact on grid systems, but in the medium term it is more likely to effect campus networks and Shibboleth systems. The meeting concluded with a quick overview of the security work that will be covered during the remainder of the OGF21 meeting. Tuesday 16 October CAOPS WG Meeting The meeting discussed the Grid Certificate Profile which has just finished its public comment period. A new version of the document should be available by Nov 6 that will address all the comments received. We also discussed the Audit document which describes a general framework for auditing CAs to ensure that they behave as expected. The meeting then spent some time discussing the name constraints that Relying Parties might wish to place on certificate path processing procedures. The current proposal has wildcards in the specification which is a way of specifying DIT subtrees. The author pointed out that the X.509 and X.501 specifications already had ways of defining general subtrees which did not include wildcards, and he forwarded the relevant text to the list. The final topic on the agenda was the use of OCSP servers. It seems like the requirement for OCSP is dwindling as most RPs seem to be happy with CRLs or short lived certificates. The author mentioned the recent WebDAV scheme they have implemented which uses Web servers and state based URLs in certificates to provide instant revocation notification and low processing overheads. Wednesday 17 October CAOPS WG Meeting This meeting discussed the current work of the International Grid Trust Federation, and how it is evolving and continually growing. New CA members have recently been added e.g. Rumania, and other countries e.g. Taiwan are likely to be added very soon. David Kelsey gave a presentation about trust in authorisation, and said that it was now time to start looking at validating the trustworthiness of VOMS servers that issue authorisation credentials, since today people are still wrongly thinking that trust in a CA is sufficient to mean that an AA is trustworthy. The author found this to be a refreshing breakthrough in that people are now finally beginning to realise that trust in authorisation is a completely separate layer to trust in authentication, and that it needs to be managed just as rigorously and carefully as trust in CAs. Furthermore technical measures are needed for enforcing this trust in just the same way as technical measures are needed to enforce the trust in CAs. Fortunately this is something that the author has been working on for many years, and consequently his group have already built trust enforcing mechanisms into the PERMIS authorisation infrastructure. Thursday 18 October GridNet 2 Worshop At this workshop each UK participant described the work that they were doing as a result of GridNet2 funding. The author described his work within the Authz WG over the last 4 years. LOA Research Group Mike Jones from Manchester presented the results of the Level of Assurance/Authentication (LOA) survey that they had recently carried out. This showed that most respondents regarded LOA as an important or essential requirement in federated environments, and that tools to support this should be made available to the community. The utility of the LOA has already been effectively demonstrated in projects such as FAME-PERMIS, run by Manchester University. In a new FW7 Integrated Project, due to start on 1 January 2008, the author will be developing tools to enable SPs and IdPs to compute the LOAs of authentication sessions, so that they can be utilised in authorisation decision making. Express Authentication Profile Duane presented the latest developments in specifying an SP’s policies for authentication and message encryption. The author raised the issue that authorisation still was not being covered, and that this was equally important in order for a client to be able to establish a successful session. The area director Blair Dillaway agreed, and further stated that the current drafts were worrying in that they strongly coupled the policy specification to the transport mechanism via EPRs. He suggested that these should be de-coupled, and the document authors appeared to agree to this (as does the current author), so hopefully the next drafts will do this, as well as indicate how authorisation policies can also be added. Overall Comment The level of attendance at OGF meetings is falling. Perhaps this reflects the lower importance researchers are placing on the production of grid specific standards and profiles, or perhaps on the slow pace at which the OGF standards are produced. Either way, it is a cause for some concern, and one should start to question whether attending these meetings is a cost effective use of our time and resources. Perhaps other standards forums such as IETF, Liberty Alliance and OASIS might be more productive.