National e-Science Centre
University of Glasgow
– 16 February, 2006
GGF 16 was much of a success, but more cooperation, collaboration and commitment are required from group members if any meaningful achievements are to be seen. It is recommended that task reports from previous GGF meetings should be required and presented in GGF meetings. Similarly, schedules were possible should be made for tasks that were agreed upon during meetings, as there seem to be lack of continuity and commitment from previous meetings in some workgroups.
Specific recommendations for group meetings I attended are included in this report. The recommendations range from attributes/schema mappings to refined and clear use-cases for OGDA-DAI, ShibGrid and LSG-WG.
The meeting was chaired by David Chadwick and some significant progresses were made; mostly the need for a credential validation service (CVS). Distinctions were made between the authenticity and validity of credentials. Similarity between Microsoft’s security token service (STS) and CVS were pointed out, suggesting a need for validation standards in the Grid community.
The meeting also saw the call for context parameters to augment existing agreed security parameters: subject, action, target and environment. The need for context is easily emphasised in a dynamic environment where security requirements for access roles changes from time to time. Although a consensus was not reached for the inclusion of context attributes at the meeting, I do support and believe it is an attribute that still need to be considered and included in the final workgroup release.
More participation is required in other to complete in earnest the objectives of the workgroup. I also recommended existing solutions should be further investigated with respect to the existing agreed use-cases. Solutions like ShibGrid, the interoperability of
VOMS and Shibboleth should be further investigated. Lastly, attributes and metadata that are common to the Grid community need to be deliberated if security interoperability is to be achieved.
The meeting focused on how interoperation and interoperability can be achieved on the
Grid. Four areas considered for interoperability included: Security, Jobs submission, Data management and Resource discovery. It was noted that significant progress are being made on the front of interoperation while a lot needs to be done in other to achieve interoperability. Interoperation exists where multiple machines from multiple vendors communicate with one another, which is at present being achieved through commonly agreed specifications and procedures. Interoperability is currently being seen as the ability of software and Grid applications working together seamlessly. Interoperability is deemed to be achievable where agreements on tools and framework can be reached.
All four interoperability areas where discussed, but the area that drew my attention was security. Security issues with regard to authentication and identity management where discussed. The issues included: certificate recognition and missing gridmap file entries; cross boundary validation, trust and security cracks despite common GSI and PMAs.
Similarly, authorisation issues were deliberated upon. It was recommended that authorisation services should not be too close to services as it currently is. It was also suggested that SAML should be considered in future upgrades of existing technologies, which will go a long way in improving interoperability.
ShibGrid meeting focused on the interoperability of Shibboleth with existing Grid security infrastructures like VOMS, CAS and PERMIS. The meeting was chaired by Von
Welsh a fore runner of VOMS and shibboleth. The meeting also saw the presence of an
Internet 2 development team member which guided the group on forth coming Shibboleth releases and functionalities. Shibboleth issues like identity provider discovery and service delegation that makes interoperability with existing Grid applications where discussed and listed for further investigations against the next GGF meeting. Other issues listed for investigation against next meeting included: refined VO definition, VO management interoperability, names mapping, shib-portal architecture and VO-VO federation.
Names mapping, shib-portal architecture and VO-VO federation recommendations are currently being investigated in Glasgow and we will continue to research and deploy models to test and resolve these issues. Existing projects that are currently looking into these recommendations in Glasgow include ESP-Grid, VOTES, BRIDGES and
The main attention in this meeting was on augmenting proposed standard to support revocation of proxy credentials without resulting to the brute method of revoking the user certificate. Other issues on OCSP draft were discussed such as conformance of other standards to the proposed OCSP and the time latency for certificate revocation referenced to the draft.
In the Life Science group meeting little progress was made because interest in the group vision was lacking by the attendees. In my opinion it is probably due to exhaustion from previous meetings. Also there was little continuation or feedback from previous meetings to this meeting. The reason for this is not entirely clear to me as this was my first GGF meeting. However, from the little deliberation that occurred it appears that the workgroup requirements were not understood by majority of the participants.
It was recommended by a caGrid member and a member of my VOTES team that usecases for Healthcare & Life Science security requirements should be made available and shared on the mailing list before the next GGF meeting. Conclusions were reached and
Richard Sinnott of the VOTES team accepted to make available use-cases from VOTES project before the next GGF meeting. From our VOTES experience we will be making available uses cases over the next few weeks.