© 2007 Open Grid Forum CAOPS-WG RP Namespace Constraints Policy David Groep CAOPS-WG OGF20 May 8 th, 2007.

Slides:

Advertisements

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Advertisements

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

Web Services Technology Topics The boring stuff. WSRF Web Services Resource Framework –managing stateful resources using web services standards Driven.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

RPDNC Public Comments

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

The CA Distribution Process David Groep, July 2007.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

TERENA TF-EMC2 Workshop David Groep,

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

© 2007 Open Grid Forum Data Grid Management Systems: Standard API - community development Arun Jagatheesan, San Diego Supercomputer Center & iRODS.org.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

Oleg LODYGENSKY Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay,

26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Distribution Repository Structure David Groep,

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

Service Proforma Middleware Workshop. Notes Please complete as much of this proforma as possible – it will help make the workshop more informative & productive.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. SOA-RM Overview and relation with SEE Adrian Mocan

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

Key management issues in PGP

Trust Anchor Management Problem Statement

Classic X.509 AP updates (v4.1)

EMI Common XACML Profile

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

APNIC Trial of Certification of IP Addresses and ASes

The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.

Resource Certificate Profile

AuthN Middleware Requests

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

© 2007 Open Grid Forum CAOPS-WG RP Namespace Constraints Policy David Groep CAOPS-WG OGF20 May 8 th, 2007

© 2007 Open Grid Forum 2 The Issue Subject names (in particular their string representation) are used in all authorization decisions The global X.500 namespace has not materialized federations have a need to coordinate the namespace (and only sub-parts of the namespace may be part of the federation) RPs need a way to enforce this coordination

© 2007 Open Grid Forum 3 Formats The Globus Toolkit v1.0 – 4.0 ‘pre-WS’ parts support a way of namespace constaining (‘signing policy’) but this capability was lost in the java parts and never was part of other middlewares Even in GT pre-WS, the signing policy file format is limited and has serious implementation limitations

© 2007 Open Grid Forum 4 Current document Abstract 1.Introduction 2.Namespace constraints policy 3.Requirements on the namespace constraints policy expression and interpretation 4.A possible implementation of a namespace constraints policy collection (file) 4.1Expression language 4.2Interpretation of the policy collection (file) 4.3Naming and location of the policy collection (file) 5.Security Considerations

© 2007 Open Grid Forum 5 Requirements section (current) it must be possible to have trusted issuers with and without namespace constraints policies co-exist within the same trusted repository. it must be possible to distribute a namespace constraints policy in conjunction with each individual issuer trust anchor. it must be possible to support the concept of “subordinate” issuers in a hierarchical chain of issuers, such that a single namespace constraints policy collection (file) support the expression of namespace constraints on any subordinate issuer. the string rendering identifier naming of directoryNames and X.500 distinguished names in the policy expression must comply with RFC2253 the format must be human readable, in order for relying parties to visibly inspect and assess the namespace constraint policy the policy expression must support Unix-shell glob style wildcard pattern matching. Wildcard matching must be possible anywhere in the pattern. it must be possible to explicitly set a namespace constraints policy for a subordinate issuer, without modifying the policy collection (file) for the up- stream issuer(s). Such a policy on a subordinate issuer must override any policy defined in up-stream policy collections (files). a subordinate authority trust anchor must be able to change (i.e. a subordinate could be compromised and re-keyed) without having to change the namespace constraints policy in any end-system configuration.

© 2007 Open Grid Forum 6 Alternative formats As an experiment, the IGTF distributes the same information also in a ‘.namespaces’ file (see eugridpma web site) meets some of the requirements listed previously not yet implemented anywhere TO Issuer "CN=SwissSign CA (RSA IK May :00:58),O=SwissSign,C=CH" \ PERMIT \ Subject "C=CH,O=SwissSign,CN=SwissSign Bronze CA" TO Issuer "C=CH,O=SwissSign,CN=SwissSign Bronze CA" \ PERMIT \ Subject "C=CH,O=SwissSign,CN=SwissSign Silver CA" TO Issuer "C=CH,O=SwissSign,CN=SwissSign Silver CA" \ PERMIT \ Subject "C=CH,O=Switch - Teleinformatikdienste,CN=SWITCH CA" TO Issuer "C=CH,O=Switch - Teleinformatikdienste,CN=SWITCH CA" \ DENY \ Subject "*,O=CERN,C=CH" TO Issuer "C=CH,O=Switch - Teleinformatikdienste,CN=SWITCH CA" \ DENY \ Subject "*,O=SwissSign,C=CH" TO Issuer "C=CH,O=Switch - Teleinformatikdienste,CN=SWITCH CA" \ PERMIT \ Subject "*,O=*,C=CH"

© 2007 Open Grid Forum 7 Forward? Refocus document on requirements Then, get any format implemented widely document that format through a second document