[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments, WS-PolicyAssertions

>>>>> " " == Olle Mulmo <mulmo@pdc.kth.se> writes:

 > Hmm? "implement them in multiple ways"... Isn't that exactly what we have
 > already? That is, a framework that specifies what messages should flow in
 > what direction, but refraining from defining the payload (or recommending
 > a set of different payloads).

 > I see OGSA-sec as the forum where we discuss and propose a set of
 > "profiles" that augments the WSS standards such that they foster
 > interoperability as well as addressing the special security related
 > concerns that we have in a grid environment.

 > This of course means we have to evaluate WSS to begin with. Let's assume
 > we have, for the sake of argument, and also assume that SAML is the OGSA
 > choice for defining privilege assertions.

 > <example>
 > 	When delegating privileges, you may want to produce a chain of
 > 	assertions: An authority issues privilege P with delegation rights
 > 	to user X, and X in turn delegates P to user Y.

 > 	Markus Lorch and I recently noticed that such chaining of SAML
 > 	assertions is not a straightforward task, as SAML wasn't
 > 	architectured for such scenarios: to begin with, the formats of the
 > 	"issuer" and "subject" fields are different... in the SAML mailing
 > 	lists archive there is a discussion about this but the issue was
 > 	never resolved as it was considered "out of scope".

It is my understanding that the SSTC is aware of this hinderance and
has it on their short list of things to fix.

 > 	If this workgroup concurs that this is in deed an issue for OGSA,
 > 	someone needs to write up a specification on how to create chained
 > 	SAML assertions in a non-ambigious manner.
 > </example>

 > The "profile" document emerging from the example above is what this
 > workgroup is all about.

 > Or have I understood things wrong?

 > /Olle

 > -----Original Message-----
 > From: owner-ogsa-sec-wg@gridforum.org
 > [mailto:owner-ogsa-sec-wg@gridforum.org]On Behalf Of Krishna Sankar
 > Sent: den 19 december 2002 16:55
 > To: ogsa-sec-wg@gridforum.org
 > Subject: RE: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy,
 > WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments,
 > WS-PolicyAssertions


 > Yep, we need to internalize the concepts and extend them to the Grid
 > domain. I would like to see an abstraction layer incorporating these
 > concepts and a plug-in type extensible architecture so that we could
 > implement them in multiple ways. Would like to be part of the
 > discussions.

 > Cheers & happy holidays
 > -----Original Message-----
 > From: owner-ogsa-sec-wg@gridforum.org
 > [mailto:owner-ogsa-sec-wg@gridforum.org] On Behalf Of Marty Humphrey
 > Sent: Wednesday, December 18, 2002 9:41 AM
 > To: ogsa-sec-wg@gridforum.org
 > Subject: [ggf-ogsa-sec-wg] New specs released: WS-SecurityPolicy,
 > WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachments,
 > WS-PolicyAssertions


 > Folks,

 > Six new specs have been released (today, I believe) that are related to
 > our OGSA SEC efforts. These are:

 > [1] WS-SecurityPolicy
 > [2] WS-Trust
 > [3] WS-SecureConversation
 > [4] WS-Policy
 > [5] WS-PolicyAttachments
 > [6] WS-PolicyAssertions.

 > The key, of course, is how we see these fitting into our efforts. 

 > Many of these documents are co-authored by multiple organizations (e.g.,
 > Microsoft, Verisign, IBM, RSA, etc.) See
 > http://msdn.microsoft.com/webservices/understanding/gxa/default.aspx for
 > the Microsoft links to these documents. 

 > We need to carefully read these (as a community) and evaluate them.
 > Something to do over the Holidays! :^)

 > -- Marty

 > Marty Humphrey
 > Assistant Professor
 > Computer Science Department
 > University of Virginia



--
mailto:gary.ellison@sun.com
"A lie stands on one leg, the truth on two" -- Dr. Benjamin Franklin