Markus' note has some merits.
I have argued this important question of procedure previously on this
list and asked up-front how we are to deal with bottom-up approaches
in this WG (see mail archives), as they will surely appear sooner or
later.
In responses, people have argued that this WG does not have such a
mandate, that it should not deal with such issues at this early point in,
time, and that all IP issues should be dealt with before a particular
technology or message format can be accepted.
Yet, WHAM!, here are the documents, made by "rush-to-market guys". I'm
not critizing them or their work -- I want this thing out the door just
as fast, and would consider myself a rushing guy in this context as well.
It is my conclusion that GGF has not yet provided a good forum for such
contributions.
My non-initiated suggestion is to break this WG into two: a research
group that continues the work on the roadmap, laying out the long-term,
high-level architecture; and a WG that operates in the web services space,
discussing the nitty-gritty protocol details of various service specs.
/Olle
-----Original Message-----
From: owner-ogsa-sec-wg@gridforum.org
[mailto:owner-ogsa-sec-wg@gridforum.org]On Behalf Of Markus Lorch
Sent: den 16 februari 2003 21:54
To: 'Von Welch'; ogsa-sec-wg@gridforum.org
Cc: 'Frank Siebenlist'; 'Laura Pearlman'; 'Samuel Meder'
Subject: RE: [ggf-ogsa-sec-wg] Two documents
I really think these contributions move the community forward and are
needed, however, I would have welcomed some sort of announcement and
discussion on the mailing list before the documents are submitted
to the GGF website.
The purpose of providing documents to the webmaster before a meeting is
to give "outsiders" a way to inform themselves of what the working group
is currently doing, what are its current products, and what will be
discussed at the in-person meeting such that they can make an informed
decision on attending/joining. I do not think these two documents serve
that purpose. To mitigate this issue, we could probably have a short
presentation on these docs under the agenda point of "Status of ongoing
web services security work". Is that what you planned Raj, Marty?
In general this raises the question of how do these documents fit into
the charter "The purpose of the OGSA Security WG (OGSA-Sec) is to
enumerate and address the Grid Security requirements in the context
of the OGSA." ?
These documents present "bottom-up draft specifications". A secondary
task
of this WG is to spawn other WGs to address such approaches. Is this a
case
where we need to spawn of another short-lived, specialized group?
Otherwise, in the general spirit of having very precise and focused
charters
in GGF, we should possibly consider to modify the charter to allow for
such
work.
Comments, thoughts?
Three comments on the SAML doc:
- 3.1.6 "capability" may be the incorrect term here. In traditional
scenarios a capability has two explicit components: the right it
provides and the object this right can be used on, the holder of the
capability (and thus who can use it) is implicit. (this is the
complement to an ACL, where you have holder and right explicit and
the object is implicit)
The way such push scenarios are often implemented (e.g. in PRIMA, see
zuni.cs.vt.edu/grid-security) all three components are explicit. A
better term may be "privilege" or simply assertion. I myself like
privilege.
-3.1.7 You address the issue of server authorization, which I think
is very important. Along these lines isn't it equally important for
a user/requestor to determine what subset of his rights should be used
for a specific access (may be used by the server to make an
authorization
decision). This is where the push model comes into play where
the user can be in the loop and select the rights/privileges/assertions
that should be presented to the grid services. This is a way to provide
the user with the power to submit requests that leverage a
least-privilege
access scenario.
-8. Typo in Von's address : "University"
Markus
> -----Original Message-----
> From: owner-ogsa-sec-wg@gridforum.org
> [mailto:owner-ogsa-sec-wg@gridforum.org] On Behalf Of Von Welch
> Sent: Saturday, February 15, 2003 3:19 PM
> To: ogsa-sec-wg@gridforum.org
> Cc: Frank Siebenlist; Laura Pearlman; Samuel Meder
> Subject: [ggf-ogsa-sec-wg] Two documents
>
>
>
> All-
>
> We have a pair of documents we are submitting to you, the OGSA
> Security Working group, for consideration. Both of these documents
> represent bottom-up draft specifications of work we are actively
> doing. We like to get input from the community and derive GGF
> specifications from these drafts.
>
> The documents are:
>
> * "Use of SAML for OGSA Authorization"
>
> * "A GSSAPI profile for security context establishment and message
> protection using WS-SecureConversation and WS-Trust"
>
> Both of these documents have been submitted to the GGF webmaster for
> posting on the document page. They are also available now at:
>
http://www.globus.org/ogsa/Security/
We will also send a note to the WG chairs and ask for discussion time
at GGF7.
Regards,
Von (for Frank, Laura, Sam and Von)
p.s. I'm writing this as I pack for vacation for a week so please be
sure to cc my colleagues during this time on any questions.
_______________________________________________________________