1) Debrief & Discuss the communication strawman document from Catania:

http://forge.gridforum.org/sf/docman/do/listDocuments/projects.pgi-wg/docman.root.input_documents.security_material.comm_profile

Duane:
go through the doc
consider a push model
client has credentials
SOAP nto the doc

Morris:
SOAP is the protocol to go after
all agree to use SOAP?

Duane:
nail down: everything is on SOAP over http

SOAP over https:
types of credentials
message level encryption
-> SSL/TLS with http on top

TLS handshake is in there

how convey different attributes?
attr. certs X.509
proxy certs
SAML attr. in SOAP header (message level)

Morris:
optional supplemental?
Duane:
just do define
everybody should support one or more from the supplementals
we have to be precise with language

SOAP over https is applicable

Morris:
agreements:
- have to do attr. based authorization
- have to support at least one of the auth. mechanisms
- have this authentication in one bullet and have authorization options

Duane:
mixing TLS level with attr.

intend:
specify
- X.509 + attr. cert.
 -> X.509 proxy cert. support as well
- one or more proxy certs
endpoint have to have the logic to handle proxies

endpoint: fine with conformance target
must support proxy certs

Morris:
full certificates
attributes 

Duane:
nail down common set 
couple of conform. targets

Morris:
complicated to mix X.509 proxies with attribute based authorization

Duane:
everybody should process proxy certs

common denominator = goal
service which can really interoperate

Morris:
everyone is supporting proxies and TLS

everybody PGI compliant has to implement proxy valid. chain 
maybe some people use only full certs

Duane:
defining what people can use and not have to use

people can use own endpoint certs
agreement:
- SOAP
- services should understand proxy certificates


one cannot be compliant not using proxy val chain

be interoperable without changing the clients

Morris:
other parts of profiles

Duane:
not about UNICORE, ARC, ...
change endpoint?
or change client?

-> clients need no change is better#

Morris:
maybe setups with full certificates

Duane:
in greater picture

Morris:
cosider UNICORE - GENESIS-II interop
any kind of proxy val

Duane:

GENESIS implements proxy val

client can show up with something referring to X.509 proxy supp. + SAML attr. support

X.509 proxy supp. => full X.509 supp

Morris:
always use proxies?

Aleks:
you are not forced to use proxies

SOAP over https with proxy

Morris:
could supp full certs

Duan:
easier to supp proxy cert
decision making what to do

Morris:
not require the sup of proxies is my goal

Duane:
you don't need proxy cert for UNICORE, gLite interop

for client no difference

UNICORE cannot accept proxy certs -> two different profiles

Duane:
does not require hte use of proxy

Morris:
X.509 prox cert exchange at SSL/TLS level

profile element of the whole picture

Duane:
must supp. proxies 
server side 

Morris:
will prepare factsheet with overview nailed down with things we have agreed on
-> keep discussion on miling list

Duane:
agree: nail overview down

Morris:
discuss it on emails
this time not agree on authentication

Morris:
decouple it in a way we have to nail down these elements first

in the end: general things what community is thinking

suggestions:
email threads for discussion -> figures, ...

everybody is welcome to comment

question:
are attributes conform to profile?

Morris:
general concept: doc

something to dicuss
nail down the semantics

-> communicate to relevant people
VOMS, SAML interface

Morris:
separate email thread XACML reformatting

other items??

continue with chapter 7
WS policy 
two major problems
one case statically 
300-400 VOs

at same epr
list of 400 VOs in...