Changes between Version 2 and Version 3 of ClearinghousePanelSummary

11/15/11 14:45:23 (13 years ago)
Adam Slagell



  • ClearinghousePanelSummary

    v2 v3  
    11On Nov. 2, 2011 during the GEC 12, Adam Slagell moderated a panel on defining the clearinghouse roles and responsibilities. Ilia Baldine, Ted Faber and Andy Bavier were there in person as well as Jeff Chase and 2 ProtoGENI representatives on the phone. The slides based off of the draft Clearinghouse Policy, (both drafted by Adam Slagell and attached to this page), served as a starting point for discussion.
     3The conversation and slides began with a brief description of common definitions. Some of these were fairly new when Aaron Falk presented them at the previous GEC, but folks had mostly converged on common language before the GEC 12 panel. Some of the changes included a renaming of Management Authority to Aggregate Authority. Others were focused on separating identity portal out from identity providers. New concepts were mostly related to projects and project leaders. The only contentious topic was what to call this oversight group and who should make it up. On the slides it was referred to as the GENI Oversight Group or GOG. All of these are discussed in the attached clearinghouse policy document.
     5Next discussed was the whole notion of project leader and why such a role was desired. It seemed as if most people agreed that the reasons for having project leaders need it. Questions how to implement the concept (e.g., as an ABAC role or a separate credential) remain, as well as whether or not the aggregate managers (AMs) need to be aware of this concept. Another open question is whether or not  a project member role is useful or needed. Project leaders and members could serve similar purposes to t groups in ORCA/BEN. The only thing that needs immediate decision is how to implement this concept. Project leaders seem to make most sense as an additional attribute, especially if GENI goes with ABAC. Still, we need to settle on a vocabulary as well as who can be project leaders. Ted Faber is working on that. It was strongly noted that the CH should delegate who could be assigning principals to the role of project leader. That seems workable as long as project leaders are required to register an account when creating a project, and those delegatees agree to share contact info with the CH. Of course, the clearinghouse does not need any info about those with project leader attributes who have not registered a project yet with the CH.
     7The primary and secondary purposes were discussed next on the panel. There seemed to be no opposition to the primary functions of the clearinghouse: endorsing agreements, registering project leaders, and registering projects. As a quasi-legal entity, the clearinghouse (CH) would serve as a trust anchor to minimize the number of pairwise agreements between GENI actors. Through some mechanism of endorsement, the CH would attest to official GENI identity portals, identity providers, slice authorities and aggregate authorities. A decision about mechanism was not made but should be soon. Two basic approaches are available: a trusted directory service or PMI-like asynchronous solution (e.g., ABAC). There was strong opposition to anything that would insert the CH into every resource allocation process in a blocking way, and there was general consensus that ABAC could solve this more elegantly. The big question that would remain is how to handle revocation then. Preferably short term credentials would be used with a a trusted proxy renewal service, such as, MyProxy.
     9Another big decision that needs to be made is regarding who can bind projects to slices. It is at this step that it is verified that all the actors involved (e.g., slice owner, slice authority, identity portal of the slice authority) are all GENI endorsed actors because this is when a slice becomes a true CH endorsed GENI slice. However, if implemented in ABAC, a slice authority (SA) could check all of these things as well as check that the slice owner has the rights to bind slices to to a given project registered at the CH. If it is implemented this way, there would have to be some agreement with SAs that they would perform these same checks as well as answer questions from the CH or GMOC regarding the project a given slice is associated with.