GGF18, Washington, USA (11 -15 September 2006)

advertisement
GGF18, Washington, USA (11th-15th September 2006)
David Spence, CCLRC (Id: 114). 4th October 2006.
Shibboleth for Grids
The “Shibboleth for Grids” workshop comprised of four sessions. The first two of the sessions
comprised of reports on the progress of Shibboleth and Grid integration projects which were presented
at GGF16:
•
Erik Vullings - presented the continuing Shibboleth work at MAMS in Australia and in particular
their IAM suite. This is a generalised collaboration platform allowing VO users to gain access
via Shibboleth to their VO’s resources including Grid resources in a non-VO specific way.
•
Christoph Witzig - presented the work SWITCH is doing as part of the EGEE-II project to
enable Shibboleth-based authentication to EGEE resources.
•
Von Welch - presented an update on GridShib. Their recent work included providing means to
place SAML assertions into X.509 certificates (including OASIS standards) and integration with
myVocs.
•
David Spence - presented progress with the ShibGrid project, which had not started at the time
of the GGF16 meeting. Areas covered included the projects user requirements feedback and
the architecture developed.
•
Richard Sinnott - presented various projects from NeSC, including the DyVOSE project
providing a dynamic privilege management infrastructure.
•
Mike Jones - presented progress with the SHEBANGS and ShibVomGSite projects along with
questions about levels of assurance and standards for mappings between Shibboleth attributes
and identities and X.509 DN identities and VOMS attributes.
•
David Chadwick - presented GridShibPERMIS as a policy decision point for GT4 and the web
and recent developments in ease-of-use through a policy editor and a simplified version of
PERMIS.
The third session was taken up by a talk detailing the result of the recent discussions in the Shibboleth
developer community over the features and implementation methods for Shibboleth 2.0. This talk was
given by Nate Klingenstein (a Shibboleth developer) and gave the Grid community a chance to see how
future developments in Shibboleth would affect their work and have their questions answered.
The fourth session looked at some current issues that have an effect on all Shibboleth-Grid integration
projects.
•
Alan Sill - looked at issues with Shibboleth integration for registration systems, which is an
important issue, especially in systems with automatically generate X.509 identities for users.
In particular he detailed how Shibboleth can be used with VOMRS/VOMS and opportunities for
even deeper integration.
•
Christoph Witzig - presented discussions that he has had with the IGTF and PMAs about
accreditation of Shibboleth-based CAs.
•
Tom Scavo - presented some of the new OASIS standards which have been submitted as part
of the GridShib project, especially in the area of X.509 and SAML bindings.
These sessions proved informative about the direction that different projects are working towards and
the future of Shibboleth itself and its affect of Grid work in particular. The session showed that while
many people have arrived at the same core solution for converting Shibboleth authentication assertions
to GSI credentials (i.e. through the use of an online CA of some description) there was not much
consensus in areas such as registration, level-of-assurance and identity and attribute mapping. Due to
time constraints the discussion on an interoperability test-bed and points for interoperability were
dropped, these would have been a great starting point for resolving these issues.
Towards Worldwide Grid User Support
This session looked at the area of providing consistent user support in Grids that span the whole globe,
where users maybe in a different VO, continent and Grid to the resources they are employing. This is
driven by the co-operation between EGEE and the Open Science Grid (OSG) which are interoperating
to provide resources for the Worldwide LHC Computing Grid (WLCG). Both Torsten Antoni from the
GGUS support helpdesk in EGEE and Rob Quick from the OSG Grid Operations Centre presented
their individual solutions to large-scale user support and how the two systems were currently
interoperating. In both cases they have both developed similar federated approaches consisting of VO, resource-, geographically- or function-local support units with a central system for routing non-local
queries.
This was a useful session looking at a non-technical issue which will affect Grids increasingly with
increasing numbers of users and resources. Although these two systems are currently interoperating
there seems to be an outstanding need to develop standard practices (and protocols) to support
increasing user levels.
Security Talks
Blair Dillaway from Microsoft described the company’s unified approach to trust, delegation and
authorization. This security policy assertion language (SecPAL) combines best features from other
similar authorization schemes to provide this XML-based declarative logic-based security language.
Jeff Tan from Monash University talked about work done to circumvent institution’s firewalls to enable
Grid access. For this he used a combination of SOCKS and SSH.
OGSA Auth WG meeting
In this working group session a new charter for OGSA Auth was agreed, extra features were suggested
for the Credential Validation Services (CVS) requirements document and some comments were made
on the PERMIS and VOMS profiles.
IGTF Issues
This session started with the introduction of the new IGTF logo and was followed by reports from the
three PMAs. The draft Member Integrated Credential Services (MICS) profile, which leverages a sites
high quality accounts database, was discussed along with changes to the Classic CA profile. This part
of the session led to a discussion of the relative roles of the IGTF and PMAs.
In the second part of this session Peter Alterman gave a presentation on the Federal (US Government)
PKI Architecture. This talk especially focused on PKI trust bridges which allow trust to be bridged
between different trust providers. This talk proved useful in thinking about the future of Grid trust.
Firewall Issues RG
In this session Melinda Shore, from Cisco and chairperson of the IETF MIDCOM WG, presented the
various solutions to firewall issues to kick off the next stage of work in the Firewall Issues WG, the
production of an evaluation of IETF solutions to these problems and a solutions document. In addition
other solutions and discussion were led by Ralph Niederberger, Thijs Metsch and Jeff Tan, which
included ideas of how to “Grid-enable” firewalls.
Topics in Identity Management
The Topics in Identity Management session consisted of three talks: the first was by Von Welch who
gave an overview of GridShib, the second and third were given by Stephen Langella (Ohio State
University) and detailed Dorian and the Grid Trust Service (GTS) respectively. These are components
which provided authentication, authorization, trust management and secure communications services
to medical collaborations. The Dorian system provides the Grid user account management function
and GTS provides secure inter-institutional trust. These talks were useful case-studies in different
methods for providing easy-to-use secure access to Gird resources for non-Grid users.
Download