Report of OGF/GGF18 Meeting, 11-13 September 2006
Author. David Chadwick
Shibboleth for Grids
This comprised four sessions, two on both Monday and Tuesday, which were devoted to
updates about various projects around the globe that are integrating Shibboleth with Grid
technologies. There were presentations from:
- Erik Vullings (via Skype from Australia) who talked about the MAMS system
and tools such as Autograph that control attribute release policies;
- Christoph Witzig of SWITCH who are working within EGEE to add Shibboleth
authentication as an alternative to X.509 PKI authentication;
- Von Welch who gave an update about the GridShib project;
- David Spence from CCLRC gave an update about the ShibGrid project;
- Mike Jones whose talk about the SHEBANGS project raised more unresolved
issues than answers; Mike also gave a summary about GridSite and Shibboleth;
- Richard Sinnott about the various projects at NeSC Glasgow;
- David Chadwick who described the latest user friendly tools for setting PERMIS
policies for Shibboleth and Grid resources;
- Nate Klingenstein who gave a comprehensive talk about SAMLv2 and
Shibbolethv2
- Alan Sill about combining VOMS and the registration service VOMRS with
Shibboleth; and
- Tom Scavo who talked about X.509 and SAML bindings
Clearly there is a lot of activity in this area and there were many similarities in the
approaches, which involved having an online pseudo-CA that issued short lived
certificates for use on the Grid based on Shibboleth authentication of the user. It would be
good if one common model for this could be standardized.
Globus Security for the Real World
This session described not only the current security mechanisms in GT4, but also the
future mechanisms that they are currently working on, such as improved authorization.
Security Talks
Blair Dillaway from Microsoft gave a talk on access control research that MS has been
doing. SecPAL is a declarative logic based security policy language. It supports the
distributed creation of policies. Permissions are monotonic so the results are always
predictable (this is the same as the PERMIS model, but not the same as XACML). The
language provides safety properties via simple syntactic checks. MS wanted to define
complete policies that specify trust, delegation and authorization. They use standard
XML parsers and XML DigSigs to protect their policies. Principals are identified by their
public keys rather than their names. Resource hierarchies are supported. Attributes are
name value pairs (this is pretty standard now). They use regular expressions for matching
variables. All in all the system has some good features and MS has tried to pick what they
see as the best features that existing authorization PDPs/policies provide.
Jef Tan from Monash University talked about connecting across firewalls for the grid. He
used a combination of SOCKS and SSH to get past university firewalls.
OGSA Authz WG meeting
The meeting was very productive, and had been preceded by a teleconference for those
WG members who could not attend Washington. The revised charter for the WG was
finally agreed, with only minor amendments being suggested to the version that had been
posted 2 months prior to the meeting. The CVS Requirements document had some more
features recommended for inclusion in the next version. The Authorisation Functional
Components document also had some useful enhancements suggested for inclusion.
VOMS and PERMIS profiles have been posted to the WG mailing lists and some
enhancements were suggested to the VOMS profile. The meeting concluded with
planning dates and times for the next teleconferences.
The minutes of the OGSA AUTHZ WG meeting can be found at
(https://forge.gridforum.org/sf/go/doc13860?nav=1).