RE: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments, WS-PolicyAssertions

["Olle Mulmo" <mulmo@pdc.kth.se>]

Correction: Identifying the *need* for such a profile document to be
written -- but not necessarily writing it -- is what this workgroup is
all about... :-)

/Olle

-----Original Message-----
From: owner-ogsa-sec-wg@gridforum.org
[mailto:owner-ogsa-sec-wg@gridforum.org]On Behalf Of Olle Mulmo
Sent: den 19 december 2002 18:58
To: ksankar@cisco.com; ogsa-sec-wg@gridforum.org
Subject: RE: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy,
WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments,
WS-PolicyAssertions



Hmm? "implement them in multiple ways"... Isn't that exactly what we have
already? That is, a framework that specifies what messages should flow in
what direction, but refraining from defining the payload (or recommending
a set of different payloads).

I see OGSA-sec as the forum where we discuss and propose a set of
"profiles" that augments the WSS standards such that they foster
interoperability as well as addressing the special security related
concerns that we have in a grid environment.

This of course means we have to evaluate WSS to begin with. Let's assume
we have, for the sake of argument, and also assume that SAML is the OGSA
choice for defining privilege assertions.

<example>
	When delegating privileges, you may want to produce a chain of
	assertions: An authority issues privilege P with delegation rights
	to user X, and X in turn delegates P to user Y.

	Markus Lorch and I recently noticed that such chaining of SAML
	assertions is not a straightforward task, as SAML wasn't
	architectured for such scenarios: to begin with, the formats of the
	"issuer" and "subject" fields are different... in the SAML mailing
	lists archive there is a discussion about this but the issue was
	never resolved as it was considered "out of scope".

	If this workgroup concurs that this is in deed an issue for OGSA,
	someone needs to write up a specification on how to create chained
	SAML assertions in a non-ambigious manner.
</example>

The "profile" document emerging from the example above is what this
workgroup is all about.

Or have I understood things wrong?

/Olle

-----Original Message-----
From: owner-ogsa-sec-wg@gridforum.org
[mailto:owner-ogsa-sec-wg@gridforum.org]On Behalf Of Krishna Sankar
Sent: den 19 december 2002 16:55
To: ogsa-sec-wg@gridforum.org
Subject: RE: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy,
WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments,
WS-PolicyAssertions


Yep, we need to internalize the concepts and extend them to the Grid
domain. I would like to see an abstraction layer incorporating these
concepts and a plug-in type extensible architecture so that we could
implement them in multiple ways. Would like to be part of the
discussions.

Cheers & happy holidays
-----Original Message-----
From: owner-ogsa-sec-wg@gridforum.org
[mailto:owner-ogsa-sec-wg@gridforum.org] On Behalf Of Marty Humphrey
Sent: Wednesday, December 18, 2002 9:41 AM
To: ogsa-sec-wg@gridforum.org
Subject: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy,
WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments,
WS-PolicyAssertions


Folks,

Six new specs have been released (today, I believe) that are related to
our OGSA SEC efforts. These are:

[1] WS-SecurityPolicy
[2] WS-Trust
[3] WS-SecureConversation
[4] WS-Policy
[5] WS-PolicyAttachments
[6] WS-PolicyAssertions.

The key, of course, is how we see these fitting into our efforts. 

Many of these documents are co-authored by multiple organizations (e.g.,
Microsoft, Verisign, IBM, RSA, etc.) See
http://msdn.microsoft.com/webservices/understanding/gxa/default.aspx for
the Microsoft links to these documents. 

We need to carefully read these (as a community) and evaluate them.
Something to do over the Holidays! :^)

-- Marty

Marty Humphrey
Assistant Professor
Computer Science Department
University of Virginia