MACE-paccman call: 3-March-2011

Attending

Keith Hazelton (Co-Chair)
Rob Carter, Duke
RL "Bob" Morgan, U. Washington
Michael Gettes, CMU
Chris Hyzer, U. Penn.
Benn Oshrin, Internet2
Boyd Wilson, Clemson
Mike Gossett, Clemson
Billy Cook, Clemson
Scott Cantor, OSU
Tom Barton, U. Chicago
Tom Zeller, U. Memphis
Ann West, Internet2
Steve Olshansky, Interent2
Emily Eisbruch, Internet
New Action Items

[AI] (Rob) will post the caBIG use cases on the wiki at https://spaces.internet2.edu/display/macepaccman/Use+Cases

[AI] (Keith) will email the list with details of the March 14 MACE call (DONE)

[AI] ) (Keith) will attach to the wiki Boyd's "Authentication, Provisioning, and Authorization" diagram (DONE) https://spaces.internet2.edu/display/macepaccman/Home

Carry Over Action Items

[AI] (Keith) will continue to investigate funding to obtain --- for a period of investigation --- the Axiomatics Policy Server and Administration Point.

DISCUSSION

Joint Call with MACE

Joint call with MACE and the paccman working group is scheduled for Monday, March 14 at 1:30 EST
Purpose: To review the paccman charter and discuss a paccman work plan for the upcoming year.
The PIN # for the call was sent out in an email on March 3.
Contact SteveO if you have misplaced the PIN and want to join that call.
Advance CAMP

MACE-paccman participants are encouraged to:

1. Register for Advance CAMP https://spaces.internet2.edu/display/ACAMPIdSummit2011/Home

2. Contribute topics for Advance CAMP on the wiki at https://spaces.internet2.edu/display/ACAMPIdSummit2011/Participants+and+Requested+Topics

Advance CAMP will use an Unconference format, so topics are determined by the community.

Axiomatics Policy Server and Administration Point

Keith reported that the Axiomatics Policy Server and Administration Point -- for a period of investigation -- Costs 5K. Most likely U-Wisc. Madison will provide about 2K. Keith is looking for other schools to partner.

Q : is there a viable open source alternative?

Keith: not aware of a good open source alternative.

Direction for MACE-paccman Working Group

Should MACE-paccman continue a focus on permission management?

RL "Bob": There is value in the discussion permission management
However, there is some danger that developers do what they do and that architects discuss, without that architectural discussion having a huge impact
Michael: don't want this call to be focused on Grouper to the exclusion of other permission management approaches
Michael: discussions of Grouper can happen on the Grouper call
Keith: good topics for paccman are :
how permissions are modeled and
the semantics around permissions
Beyond permissions management, what are our thoughts about MACE-paccman addressing the topic of authorization?

Boyd's diagram provides a good map of areas to focus on (permissions management, authorization, provisioning and deprovisioning and federation)
The issue of XACML and what's viable/doable now versus in the future is tricky
TomB: delegation is another important area for design and implementation
Improving Campus Access Management Practices

TomB: one of the long-term objectives of the Internet2 Middleware Initiative is to improve campus level of practice.
Grouper tries to provide one path towards access management practice, but this is NOT a primary focus of the Grouper Working Group
It's up to MACE-paccman to take ownership of suggesting good practices in access management
Authentication, Provisioning, and Authorization diagram

Boyd noted that this diagram is preliminary and he is very open to feedback.

https://spaces.internet2.edu/display/macepaccman/Home
Boyd's comments on the diagram:

Divided the space into 3 big areas:
Federated, Redirected Authentication -
may have missed some of the protocols, those shown are examples
Provisioning and Deprovisioing -
subject and resource provisioning,
need to discuss the rest of the story, the application specific aspects
Federated, Redirected Authorization
from a security standpoint, the authorization rules/constructs should be centrally stored and audited for use across muliple applications
May want to add some notion of delegation
May want to incorporate the term "access management"
Clemson realizes the need for interoperability and making things pluggable (using common libraries or interfaces)
This is being done with federation and SAML
Michael: A simplified version of this diagram (without products) could be helpful

Keith:

The central column is great at showing how to break down the space.
In provisioning and deprovisioning we are jostling around, and the FIFER project is involved in developing common APIs
XDS is a directory interface. OASIS looked at XDS , but adopted SAML. However, Novell still uses XDS. Clemson uses XDS on some of their provisioing connectors.

Mike Gossett:

Central column of the diagram represents interoperability
The goal is that the specifics (SAML, OPENID, XDS) can change as long as there is interoperability.
Rules of how to control access to resources at an organization are independent of how a person is authenticated
Dream is that a person can have their own authentication provider. When person goes somewhere on the web, he specifies the authentication provider, specifies what info (identifiers) can be released.
RL "Bob" stated that Personal Data Echosystems are trying to provide that. http://personaldataecosystem.org/
Provisioning:

MikeGossett: Provisioning can apply to many different kinds of info
Groups can be provisioned, resource info can be provisioned, etc.
Ideally, provisioning allows cutting down the administration of things, to have all constructs in one place for applications to use in their own way
Keith: yes, and the discussion of push vs pull is also important, and this is playing out in the provisioning space
U-Wisc is working on "provision on first access" -- it's sort of a hybrid
COmanage International Call News

Benn reported that on the COmanage International Call, representatives from the Dutch network (SURFnet) were looking at the FIFER API work. There is an element there about privilege queries for the group API. The Dutch are highly interested in an API for access management.

https://wiki.jasig.org/display/FIFER/Group+API+Data+Structures+and+Operations

2011 Spring Member Meeting
MACE-paccman Working Group scheduled for: April 18, 2011, 12:00 PM - 1:00 PM http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001793&event=1035
Session on Authorization and Intelligent Design April 19, 2011, 4:30 PM - 5:30 PM http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001721&event=1035

Next Calls

Joint call with MACE and MACE-paccman: Monday, March 14 at 1:30 pm ET
MACE-paccman call: Thursday, March 17 at 1:00 pm ET