Re: [ggf-ogsa-sec-wg] Re: Working towards the WG deliverables:archtitecture and roadmap

[Samuel Meder <meder@mcs.anl.gov>]

On Fri, 2004-03-19 at 02:13, FROHNER Akos wrote:
> Hi,
> 
> I have raised my hand, so let me give you some comments to start with.
> So far OGSA-Sec was hanging in the air without any real implementations
> behind, so it is hard to comment on something, which I cannot test.
> 
> To make this group useful for the future I suggest a slight change on
> the emphasis: you have a good top-level overview of the required security
> services, so start describing those services in detail!
> 
> And start from a minimal set, which already exists today, although
> not with web services interfaces. So wrap them in WS, agree on the
> interface, so we can start using them. After this first cycle we can
> feed back our experiences on the APIs and on the more sophisticated
> services.
> 
> To give some example (according to your docs):
> 
>   Authentication: there are a couple of online CA proposals, which
>     intend to provide a proxy for a session. Like MyProxy and once
>     there was also the Virtual Smart Card project at SLAC.
>     
>   Delegation: the only feasible solution I know today is the GSI
>     delegation, aka httpg.

httpg is http over GSI, which at this point is deprecated. We currently
do delegation by using GSI Secure Conversation. Just a nit...

>     Have it documented here or anything 
>     similar. I know this is not ideal, because you cannot give
>     sophisticated restrictions, but it works, and we want to use
>     something in the services we write today.
>     Once this is settled, we can move on to restrict it. But
>     there are many groups out there dealing with policies, so
>     the scope of this group should be really the protocol.
> 
>     Also think about internal API for the services, on how can
>     they use the delegated credentials.

What I would like to see is a separate (as in separate from the
authentication step) porttype for doing explicit delegation. 

/Sam

>   Credential Lifespan and Renewal: the only solution I know of
>     today is EDG's modified MyProxy service, which provides proxy
>     renewal for long running jobs. Have it described, documented,
>     so other can comment on it and/or give their solutions.
> 
>     This is a good place for joint activities with Scheduling
>     (long running jobs) and Data area (long file transfers).
> 
>   Attribute services: CAS, VOMS, Permis provides attribute certificates
>     and I am sure there are many other attribute provides in other
>     formats (e.g. local account database w/o AC format), so gather
>     them and standardise the way a user (push model) or a service
>     (pull model) can access them.
>     I can give a the WS interface of VOMS core as a starting point.
> 
>   Authorization: this should simply move to the OGSA-Authz group.
> 
>   Privacy, Confidentiality, Message Integrity: covered by XML
>     security standards, so no need to describe them here again.
> 
>   Policy Exchange: covered elsewhere.
> 
>   Secure logging: I don't think it is OGSA specific, but rather
>     a generic security issue. One can think of specialities on
>     the subject (e.g. agreement on the logging format of DN to
>     local username mapping).
>     Once it is clear what has to be logged, then one can think
>     of wrapping existing logging services in WS.
> 
>   ...
> 
>   and so on.
> 
> If this group can address the first four by June, I would be happy.
> 
> Cheers,
>     Akos
-- 
Sam Meder <meder@mcs.anl.gov>
The Globus Alliance - University of Chicago
630-252-1752