[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ggf-ogsa-sec-wg] GGF7 BOF REQUEST - Security Policy Expression, Exchange and Processing WG
FYI. Don't know if we will get the BOF. Would appreciate comments and
insight.
Pardon me for the spam - am not sure if the membership on security-wg
and ogsa-sec-wg intersect or if one is a subset of the other.
cheers
-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Monday, February 10, 2003 6:40 PM
To: 'humphrey@cs.virginia.edu'; 'tuecke@mcs.anl.gov'
Cc: 'mulmo@pdc.kth.se'; 'Dane D. Skow'
Subject: GGF7 BOF REQUEST - Security Policy Expression and Exchange WG
Title : Security Policy Expression, Exchange and Processing WG
-------
Synopsis:
---------
The roadmap talks about the "Grid Service Reference and Service
Data Security Policy Decoration Specification". This specification is
aimed at describing the various elements required to express the
security characteristics of a "pipe". Simultaneously we also need to
describe a policy based processing model.
Dr.Neuman in his talk "Coordinating Policy Across Enterprises"
described how the Grid is a federated system (with potential for
unprecedented access) and control of the system rests in many hands and
policies originate from many sources. In fact even credentials could
have policies in them (For example a gift card has no identity but a
policy).
To achieve coordinated policy implementations, we should have a
cohesive and coherent policy substrate across the different aspects of
grid. This applies not only to cross-domain administration and control
but also vertically across the different layers of the grid services.
This wg would concentrate on the expression, interpretation,
negotiation and ultimately enabling secure interactions between
services. I think we would also get into intermediaries and proxies as
well.
The roadmap document also describes the security services
operation domain and the "Secure Service's Policy and Processing"
specification. Most probably we would have to define the processing as a
part of this wg - we really cannot specify elements without explaining
what they mean and without a crisp processing model.
At the A (Architecture) and I(Infrastructure) layer, we would
capture the serviceData (and associated vocabulary) and
the behavior of the channel layer of a service.
There are a few of the WS-XXXXX Proposals out in this domain
providing interoperable syntax and semantics at the wire level -
S-Security, WS-Security-Profile, .... We need to ask (and answer !) the
questions :
What abstractions do we need ? How would the stack look like -
from Architecture to on the wire format ? What are the dependencies ?
And what WS-XXXXX specifications are relevant here.
A related concept is the profiling of specifications - we might
have to pick a subset of the relevant specifications applicable to the
grid domain and specify that subset as a profile for the Grid Services.
That way we should be able to eliminate complexity and also provide a
crisp interfaces that are really applicable.
Other interested parties :
--------------------------
I know Olle is interested and am sure that he would influence
the discussions. If there could be a vice-lead position for the BOF, I
recommend Olle.
cheers
------------------------------------------------------------
| | Krishna Sankar
:|: :|: Distinguished Engineer
:|||: :|||:
..:|||||||:..:|||||||:.. (Ph) 408-853-8475
Cisco Systems Inc ksankar@cisco.com
------------------------------------------------------------
"None of us is as smart as all of us"
------------------------------------------------------------