From: FROHNER Akos [Akos.Frohner@cern.ch]
Sent: Friday, December 06, 2002 3:37 PM
To: Bob Jones
Subject: Re: Input for follow-on project

Well, I'm late, but getting close to the next ATF meeting I realised,
I've never answered this question:

On Tue, 2002-11-12 17:28:58 +0100, Bob Jones wrote:
> Hi,
>         Here are a summary following the ATF discussion during lunch. Note I
> have not used the ATF list for this because I would prefer to restrict this
> msg to EDG internal people only - so please send your replies to me and I
> will report on them collectively at the next ATF.
> 
[...]
> - porting mware to OGSA
> - security issues
  
  - authorization delegation in the OGSA environment 
    there is a proposal in EDG/SCG, but its implementation is not
    forseen soon, see HTTPS-G (which is something different, than
    HTTPG, proposed by the Globus team)
  
  - follow-up VOMS: the need is there and we will probably agree
    on something with others (e.g. CAS developers). I guess we
    cannot finish everything by the end of 2003, since we only 
    starting up know with the prototype.

  - moving closer to standards (IETF and not only GGF): the current
    use of data structures and protocols in grid security is slightly
    different from these standards. It is not much, but enough to
    prevent the use of commercial SSL libraries and co-operation
    with the industry. To improve this co-operation and let them 
    offer their tools we shall move closer to these standards or
    persuade everyone else to chnage and adapt our solutions.
    My personal feeling is that we (grid community) shall move.

  - policy based access control: there are plenty of possibilities
    for research and development in this field. It looks like the
    US projects were not eager to get into this field, but there
    are good european initiatives, like PERMIS.

  - "deployment" of security: security will not "happen" to the 
    services and applications by deploying some fancy RPMs. They
    have to modify ther software to incorporate access control
    checks (or in other words: policy enforcement), they have to
    configure their local environment and administrate their 
    central security services.
    Once we are finished with a security library (like LCAS or
    WP2's Java security), we still have 80% of the work ahead
    to make use of them.

Regards,
	Ákos