Report of OGF/GGF18 Meeting, 11-13 September 2006 Author. David Chadwick Shibboleth for Grids This comprised four sessions, two on both Monday and Tuesday, which were devoted to updates about various projects around the globe that are integrating Shibboleth with Grid technologies. There were presentations from: - Erik Vullings (via Skype from Australia) who talked about the MAMS system and tools such as Autograph that control attribute release policies; - Christoph Witzig of SWITCH who are working within EGEE to add Shibboleth authentication as an alternative to X.509 PKI authentication; - Von Welch who gave an update about the GridShib project; - David Spence from CCLRC gave an update about the ShibGrid project; - Mike Jones whose talk about the SHEBANGS project raised more unresolved issues than answers; Mike also gave a summary about GridSite and Shibboleth; - Richard Sinnott about the various projects at NeSC Glasgow; - David Chadwick who described the latest user friendly tools for setting PERMIS policies for Shibboleth and Grid resources; - Nate Klingenstein who gave a comprehensive talk about SAMLv2 and Shibbolethv2 - Alan Sill about combining VOMS and the registration service VOMRS with Shibboleth; and - Tom Scavo who talked about X.509 and SAML bindings Clearly there is a lot of activity in this area and there were many similarities in the approaches, which involved having an online pseudo-CA that issued short lived certificates for use on the Grid based on Shibboleth authentication of the user. It would be good if one common model for this could be standardized. Globus Security for the Real World This session described not only the current security mechanisms in GT4, but also the future mechanisms that they are currently working on, such as improved authorization. Security Talks Blair Dillaway from Microsoft gave a talk on access control research that MS has been doing. SecPAL is a declarative logic based security policy language. It supports the distributed creation of policies. Permissions are monotonic so the results are always predictable (this is the same as the PERMIS model, but not the same as XACML). The language provides safety properties via simple syntactic checks. MS wanted to define complete policies that specify trust, delegation and authorization. They use standard XML parsers and XML DigSigs to protect their policies. Principals are identified by their public keys rather than their names. Resource hierarchies are supported. Attributes are name value pairs (this is pretty standard now). They use regular expressions for matching variables. All in all the system has some good features and MS has tried to pick what they see as the best features that existing authorization PDPs/policies provide. Jef Tan from Monash University talked about connecting across firewalls for the grid. He used a combination of SOCKS and SSH to get past university firewalls. OGSA Authz WG meeting The meeting was very productive, and had been preceded by a teleconference for those WG members who could not attend Washington. The revised charter for the WG was finally agreed, with only minor amendments being suggested to the version that had been posted 2 months prior to the meeting. The CVS Requirements document had some more features recommended for inclusion in the next version. The Authorisation Functional Components document also had some useful enhancements suggested for inclusion. VOMS and PERMIS profiles have been posted to the WG mailing lists and some enhancements were suggested to the VOMS profile. The meeting concluded with planning dates and times for the next teleconferences. The minutes of the OGSA AUTHZ WG meeting can be found at (https://forge.gridforum.org/sf/go/doc13860?nav=1).