Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

OGF20 Meeting Report. 7-11 May 2007 OGSA-Authz WG

advertisement 
OGF20 Meeting Report. 7-11 May 2007
Prepared by David Chadwick, University of Kent
OGSA-Authz WG
This group met on the morning of the first day, and was chaired by the author. The
meeting was very productive, as the minutes of the meeting show (available from
http://forge.gridforum.org/sf/go/doc14495?nav=1). There were some good presentations
by 3 groups of researchers. However, a serious issue that the WG needs to address, is
how to get people to contribute and progress the WG documents forward between
meetings. Currently there is very little documentation activity between meetings, and it
appears, very little implementation of the existing protocol specifications. Unless this
situation changes significantly by the end of the year, we should seriously consider
closing or suspending the WG.
LOA RG
This group met after morning coffee on the first day. This group is tasked with producing
use cases and risk analysis for the use of Levels of Assurance (LOA), and a gap analysis
of the current LOA standards. The meeting reviewed a series of use case scenarios and
the audience contributed towards a better understanding of them. LOA is an important
security concept, and the more understanding and use that implementers make of it, the
more secure our grids will become.
CA Ops
Met on Tuesday early evening. One problem the WG is facing is that commercial CAs
are not doing their job properly, and will either authenticate anyone with any name, or
not authenticate a person with a name they already possess. Given that the only role a CA
has is to bind a name to a public key, this is a major failing of most commercial CAs
(caused incidentally be their eagerness to shed as much legal liability as possible for their
actions). Consequently CA Ops is having to devise mechanisms whereby relying parties
can control which namespaces they will accept from which CAs, so as to ensure that grid
users are only given their “correct” DNs. One wonders if there is any value at all in
having a certificate from a commercial CA, unless it badged for your own organisation.
Your own local CA can be just as reliable and trustworthy at binding names to public
keys.
Astronomical Virtual Observatory
On Wednesday there was a full day workshop of Astro Grid. The author met with the
organisers prior to the meeting in order to better understand their security requirements,
and he then gave a presentation about how existing grid security software could be
tailored to meet the challenges that these raised. In particular the virtual observatory has a
dynamically changing set of member organisations and dynamically changing
memberships within those organisations. However, the VO service providers do not want
to be continually changing their access control policies, which means that role based
access controls are needed, with a fixed set of trusted role administrators. It also means
that dynamic delegation of administrative authority to a larger more frequently changing
pool of administrators from the VO partner organisations is also needed. The dynamic
administrators can then assign VO membership roles to the individuals within their
organisations, without any need to change the service providers’ policies. The author
highlighted how VOMS and PERMIS could be integrated together to provide one
solution that will meet these needs.
OGSA Express Authentication Security Profile
Wednesday afternoon saw a meeting of the express authentication security profile from
the OGSA WG. In the opinion of the author, whilst this work is valuable, it does not go
far enough. It will only allow a grid service provider (SP) to know who you are, without
knowing what you are entitled to do. So the profile is only half a fix to the real problem.
However, it should not be too difficult to extend the current work to provide a fuller more
complete solution, by borrowing some of the ideas used by Microsoft Cardspace and
Trust Negotiation, in which SP’s publish the authorisation tokens that they require, and
IDPs publish the authz tokens they can issue. In this way a user should be able to easily
marry the two together in order to ensure that he can get access to the resources he is
entitled to.
Gridnet2 meeting
On Thursday morning the author took a break from the OGF 20 meetings to attend the
GridNet2 Advisory Board meeting at the University of Manchester.
Related documents
M a k e
M a k e
GridNet Funding Report
GridNet Funding Report
GridNet2 Report
GridNet2 Report
Practicing Meaningful Learning Outcomes Assessment at UGA
Practicing Meaningful Learning Outcomes Assessment at UGA
Document14104851 14104851
Document14104851 14104851
MOST IMMEDIATE -CPL) N4:-.230i1 33 201 , 'Government of Ind:
MOST IMMEDIATE -CPL) N4:-.230i1 33 201 , 'Government of Ind:
fi
fi
Download
advertisement