[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ggf-ogsa-sec-wg] Two documents

To: "'Von Welch'" <welch@mcs.anl.gov>, "'Ian Foster'" <foster@mcs.anl.gov>, "'Brian E Carpenter'" <brian@hursley.ibm.com>
Subject: RE: [ggf-ogsa-sec-wg] Two documents
From: "Markus Lorch" <mlorch@vt.edu>
Date: Tue, 25 Feb 2003 09:56:32 -0500
Cc: <ogsa-sec-wg@gridforum.org>
Importance: Normal
In-reply-to: <15962.19543.160000.447877@gargle.gargle.HOWL>
Sender: owner-ogsa-sec-wg@gridforum.org

Von, Brian, Ian + Others,

I don't want to have an endless debate on 
politics here. We need to focus our energy 
on solving the problems at hand not creating 
new ones. (And I already spent much to much
time crafting this reply) I'll thus leave 
it at this, trying to explain my motivation.

I am not at all targeting your guys work 
and realize that without the Globus + IBM 
contributions this WG would prob. not have 
produced anything up to now. 

I was trying to give some constructive 
criticism suggesting things that could be 
done differently in the future to foster 
a more tightly knit community for this WG
and leveraging the other members better.  
Telling the rest of the WG what you are up to
and having that reflected in the charter 
(i.e. before things are posted on the official 
meeting web page) doesn't hurt but would help 
to make the WG feel more like a group that 
works together. We could also leverage our
group web page for the dissemination of
document drafts in an earlier state.

Markus

>  I'll restate the point that Brian made, is that these documents are
> just another form of WG communication. By putting them on the web page
> this implies no endorsement by the WG, it's just a means of making
> them public both to the WG and the world. And I understand it is a
> requirement for discussion at GGF.
> 
>  Our intent with these documents is to show the WG, in detail, what we
> think is needed and our initial thoughts on how to go about it, to act
> as a stake in the ground to spur conversation around that stake (with
> one possible result being it's rejection). Also I see them driving us
> to figure out, assuming we choose to, how to deal with such
> specifications.
> 
> Von
> 
> Markus Lorch writes (15:54 February 16, 2003):
>  > I really think these contributions move the community 
> forward and are 
>  > needed, however, I would have welcomed some sort of 
> announcement and 
>  > discussion on the mailing list before the documents are submitted 
>  > to the GGF website. 
>  > 
>  > The purpose of providing documents to the webmaster before 
> a meeting is
>  > to give "outsiders" a way to inform themselves of what the 
> working group
>  > is currently doing, what are its current products, and 
> what will be 
>  > discussed at the in-person meeting such that they can make 
> an informed 
>  > decision on attending/joining. I do not think these two 
> documents serve 
>  > that purpose. To mitigate this issue, we could probably 
> have a short 
>  > presentation on these docs under the agenda point of 
> "Status of ongoing 
>  > web services security work". Is that what you planned Raj, Marty?
>  > 
>  > In general this raises the question of how do these 
> documents fit into 
>  > the charter "The purpose of the OGSA Security WG (OGSA-Sec) is to 
>  > enumerate and address the Grid Security requirements in 
> the context 
>  > of the OGSA." ?
>  > 
>  > These documents present "bottom-up draft specifications". 
> A secondary
>  > task 
>  > of this WG is to spawn other WGs to address such 
> approaches. Is this a
>  > case
>  > where we need to spawn of another short-lived, specialized group?
>  > 
>  > Otherwise, in the general spirit of having very precise and focused
>  > charters
>  > in GGF, we should possibly consider to modify the charter 
> to allow for
>  > such 
>  > work. 
>  > 
>  > Comments, thoughts?
>  > 
>  > Three comments on the SAML doc:
>  > 
>  > - 3.1.6 "capability" may be the incorrect term here. In 
> traditional 
>  > scenarios a capability has two explicit components: the right it 
>  > provides and the object this right can be used on, the 
> holder of the 
>  > capability (and thus who can use it) is implicit. (this is the
>  > complement to an ACL, where you have holder and right explicit and 
>  > the object is implicit) 
>  > The way such push scenarios are often implemented (e.g. in 
> PRIMA, see
>  > zuni.cs.vt.edu/grid-security) all three components are explicit. A 
>  > better term may be "privilege" or simply  assertion. I myself like 
>  > privilege.
>  > 
>  > -3.1.7 You address the issue of server authorization, 
> which I think 
>  > is very important. Along these lines isn't it equally important for
>  > a user/requestor to determine what subset of his rights 
> should be used
>  > for a specific access (may be used by the server to make an
>  > authorization
>  >  decision). This is where the push model comes into play where
>  > the user can be in the loop and select the 
> rights/privileges/assertions
>  > that should be presented to the grid services. This is a 
> way to provide
>  > the user with the power to submit requests that leverage a
>  > least-privilege
>  > access scenario.
>  > 
>  > -8. Typo in Von's address : "University"
>  > 
>  > 
>  > Markus
>  > 
>  > 
>  > 
>  > 
>  > > -----Original Message-----
>  > > From: owner-ogsa-sec-wg@gridforum.org 
>  > > [mailto:owner-ogsa-sec-wg@gridforum.org] On Behalf Of Von Welch
>  > > Sent: Saturday, February 15, 2003 3:19 PM
>  > > To: ogsa-sec-wg@gridforum.org
>  > > Cc: Frank Siebenlist; Laura Pearlman; Samuel Meder
>  > > Subject: [ggf-ogsa-sec-wg] Two documents
>  > > 
>  > > 
>  > > 
>  > > All-
>  > > 
>  > >  We have a pair of documents we are submitting to you, the OGSA
>  > > Security Working group, for consideration. Both of these 
> documents
>  > > represent bottom-up draft specifications of work we are actively
>  > > doing. We like to get input from the community and derive GGF
>  > > specifications from these drafts.
>  > > 
>  > > The documents are:
>  > > 
>  > >     *  "Use of SAML for OGSA Authorization"
>  > > 
>  > >     * "A GSSAPI profile for security context 
> establishment and message
>  > > protection using WS-SecureConversation and WS-Trust"
>  > > 
>  > >  Both of these documents have been submitted to the GGF 
> webmaster for
>  > > posting on the document page. They are also available now at:
>  > > 
>  > http://www.globus.org/ogsa/Security/
>  > 
>  > We will also send a note to the WG chairs and ask for 
> discussion time
>  > at GGF7.
>  > 
>  > Regards,
>  > 
>  > Von (for Frank, Laura, Sam and Von)
>  > 
>  > p.s. I'm writing this as I pack for vacation for a week so 
> please be
>  > sure to cc my colleagues during this time on any questions.
>  > 
>

References:
- RE: [ggf-ogsa-sec-wg] Two documents
  - From: "Von Welch" <welch@mcs.anl.gov>

Prev by Date: Re: [ggf-ogsa-sec-wg] Two documents
Next by Date: Re: [ggf-ogsa-sec-wg] Two documents
Previous by thread: RE: [ggf-ogsa-sec-wg] Two documents
Next by thread: RE: [ggf-ogsa-sec-wg] Two documents
Index(es):
- Date
- Thread