MWSG12 List of Topics --------------------- Description: "Owner" Each topic has an "owner". The "owner" leads the discussion, appoints someone to take minutes, and collects these after the meeting. The minutes should specifically focus on: solved and unsolved issues, decisions, new actions, deadlines, names. Topic 1: "Make the grid more accessible without substantially increasing the risk" "Owner": Bob Cowles Presentations: - (Bob, any slides or is below enough?) To discuss: The importance of Security and Policy on the one hand and the mention that the average (potential) user of the grid find the security model very difficult. Somehow we have to make use of the grid more accessible without substantially increasing the risk - to the user and to the resource providers. Web SSO? Other? Related to Topic 2 below. Topic 2: General discussion on GSI and SAML might be of interest. "Owner": Morris Riedel and Christoph Witzig Presentations: - Shib in gLite, phase 3 (SAML) - Christoph Witzig - Interoperability in OMII - Europe using the new standard compliant SAML-based VOMS server - Morris Riedel/Vincezo/Valerio [This talk will discuss how gLite and UNICORE use the SAML standard used by VOMS to handle attribute-based authz. ] Topic 3: Portal WG in EGEE "Owner": (anyone volunteer) Presentations: (?) Topic 4: Long-range plans for EGEE-III, i.e. 2008-2010 "Owner": Ake Edlund, Dave Kelsey, John White Presentations: (?) Topic 5: TLS-AuthZ - description, status, legal (see Fredrik's comment below agenda) "Owner": Simon Josefsson Presentations: "TLS-AUTHZ is a protocol to convey authorization information over TLS channels. It supports both X.509 Attribute Certificates and SAML Assertions for the authorization. I'll explain the protocol and what it may be used for, and highlight a related patent that you should be aware of if you consider to use this. " Topic 6: AuthZ interoperability "Owner": Gabriele Garzoglio Presentations: 20 min presentation, 1 hr discussion: 1) time constraints from EGEE and OSG for the release of an alpha/beta globus library. Two features are key in order to begin testing: -- support for parsing/manipulating obligations -- availability of a C library to write client software 2) what features of the C library are essential to write client software Topic 7: CA plans and discussions on LoA "Owner": Bob Cowles Syncing MWSG with the CA-world's plans and discussions on LoA and more Presentations: (?) Background: "At the EUgridPMA meeting this morning I was asked to present relying party concerns. Mostly off the top of my head, I came up with the following unorganized set of bullet points. As I talked through them I could see that there were some common threads that circled back ... one of the most common was the veritable explosion in ways that people want to hook in identity management systems ... leading to different levels of assurance in the credentials; and the different ways of authenticating through KCA, Shib, virtual smartcard, portals. On the other side are the VOs and the service providers who want to somehow match up the Level of Assurance to the level of authorization for access to resources they are providing. In any case, I wanted to get some feedback on the list I presented and fill in any gaping holes. The next time people might be able to talk about both the overall replying party concerns and LoA issues is a short time away, at the MSWG meeting on June 11-12. Here's the rather random and cryptic list: Identity Management systems F2F, Shib, Univ systems, VSC Other authorities (Thawte?) Bridges Portals Attribute servers NIST SP 800 Certification & Accreditation Reliance on openSSL Proxy renewal CA certificate rollover Scalability of CRL checking Interoperability LoA Explosion of certificate profiles In addition, Ian Neilson talked about concern for the complexity of dealing with the Authn/Authz environment we are creating -- and that we could end up with a design that is too unwieldy. We can ask relying parties now what the want to have in terms of LoA but without any experience in actually dealing with them, we are unlikely to get detailed answers that are going to be useful - only general direction for a version 0.2 implementation to try out some ideas." Topic 8: "grid access toolkit for MS Windows" "Owner": Daniel Kouril Presentations: 20 + 15 min Background:"We're putting together a "grid access toolkit for MS Windows" containing basic Windows tools that are necessary to access grid UI machines (i.e. management of proxy certificates and gsi-enabled ssh/scp clients). I could present the plan and current status in cca 15-20 minutes (probably it falls into Topic 1)." Topic 9: Extensions of the glite LB service "Owner": Daniel Kouril Presentations: 20 + 15 min Background: "Recently we spent some time working on possible extensions of the glite LB service, which resulted in a service for alternative distribution of certificate revocation lists to relying parties. Using the LB notification infrastructure, it ensures a new CRL is delivered to subscribed relying parties almost immediately after publishing. It also allows to retrieve a set of CRLs based on specific criterions given by the client, which might be useful for e.g. mobile clients. I could present the idea and implementation in 15-20 minutes." Topic 10: VOMS Usage in various MW (Oscar Koeroo) Time: 25+15 "Owner": Oscar Koeroo Presentations: We've written a small doc that explains the problems around the interpretation of VOMS attributes in the production field. --- APPENDIX --- FrŒn: Fredrik Hedman Datum: fredag 1 jun 2007 15.36.08 GMT+02:00 Till: "project-eu-egee-middleware-security (Middleware Security Group)" €mne: Issues with TLS-AUTHZ Hi, for those of you who were at the last MWSG meeting in San Diego you might remember that I talked briefly about TLS-AUTHZ in connection with things we are doing in the OMII-Europe project. In principle this is a very useful RFC that joins TLS, attribute certificates and SAML in an interesting constellation: TLS-AUTHZ is a way to enable authorization within the TLS protocol that supports both X.509 Attribute Certificates and SAML Assertions, see: . (It is implemented in GnuTLS.) However, there exists a patent license that covers the technology, see: . The patent is at http://www.wipo.int/pctdb/en/wo.jsp?wo=2006081085 The patent appears to cover (see claims 14-19) several common operations which uses authorization data, including 'purchase orders', 'request a document', 'enter into an agreement', 'receiving electronic funds transmission', 'receiving a voting ballot'. The patent license (see link above) grants rights to use the patent except for situations where you 1) explicitly reference a 'legal agreement' by a unique key, a name, file system reference, date, checksum etc, or 2) implicitly reference the 'legal agreement' by using the sender identity. The IETF is currently evaluating whether to publish the protocol as a standard, and they are asking for input to be sent to tls@ietf.org, see . One approach would be to publish the document as an informational or experimental document. That would remove some of the IETF 'standard' label of the document. It is still published as an RFC, useful for references and to document the protocol. How this patent came about can be discussed and clearly there should be plenty of prior art. In fact, the patent can be read as covering a *very* large set AuthZ applications. Cleary a worry. In any case, I think it is important that we state that the proposed RFC will not be used due to the patent license and that it should an experimental or informational document and NOT a standard. Please post comments to the list before Monday June 11. Best Regards, /Fredrik Hedman