© 2006 Open Grid Forum OGF20 LoA-RG Monday 11:00am Charter Suite 4 Chairs: Ning Zhang and Yoshio Tanaka
© 2007 Open Grid Forum 2 Agenda today LoA-RG Charter Authentication use-cases Identifying LoA attributes
© 2007 Open Grid Forum 3 Administrative Information Name and Acronym: OGF LoA-RG (Levels of authentication Assurance – Research Group) Chairs: Ning Zhang, Yoshio Tanaka, list: Web page: jects.sec/wiki/LoAI jects.sec/wiki/LoAI
© 2007 Open Grid Forum 4 Group Mission AuthN LoA is determined by AuthN methods/processes/procedures should be a factor in controlling the access to resources with varying sensitivity levels and/or in environments with varying risk levels This LoA-RG is aimed at investigating use case scenarios in the e-Science/Grid contexts, and identifying gaps in applying existing LoA definitions to such contexts
© 2007 Open Grid Forum 5 Group Scope The LoA-RG tackles the issues related to defining the criteria for assurance assessment, the identification of gaps between the criteria defined by other standards bodies (in particular NIST, ETSI and EU standards) and the relevant grid use cases for (identity) assertions. The LoA-RG will NOT pursue the conveyance of LoA assertions in authentication protocols, or the technical consumption of such assertions by software. These topics are within the remit of the OGSA- AuthN-WG (proposed) The LoA-RG will NOT pursue the definition of identity levels and policies, or the implementation thereof. These topics are within the remit of the grid participants, their management, regulatory bodies and coordinating groups (CAOPS-WG, IGTF, inCommon, etc). The LoA-RG will NOT define any standards or recommendations under this charter.
© 2007 Open Grid Forum 6 Output - 1 Title: A risk analysis in relation to LoA and use case gathering in an e-Science context Editor: Michael Helm Abstract: This document will present a risk analysis from the prospective of relying parties (or service providers). It will address such questions as: What is it that relying parties really need to know about an identity assertion? What qualities do they require? Which attributes do they 'need to know' about an assertion provider in order to decide on trust in the assertion? The document will also gather specific use cases in relation to LoA in the context.
© 2007 Open Grid Forum 7 Output - 2 Title: A gap analysis of current LoA definitions versus LoA requirements in e-Science/Grid context Editors: N Zhang, M Jones, and A Nenadic Abstract: This document will give an overview of current LoA definitions and the related efforts, and identify gaps between these definitions and the potential use of LoA in the e-Science/Grid context.
© 2007 Open Grid Forum 8 Authentication Use-cases To identify gaps in existing LoA definitions, we need to identify attributes that may affect the values of LoA in different Grid authentication scenarios AuthN Usecase -1: End entity to service direct authentication using end-entity credentials AuthN Usecase -2: End entity to service authentication using proxy credentials stored locally AuthN Usecase -3: End entity to service authentication using proxy credentials stored remotely AuthN Usecase -4: End entity to IdP authentication + IdP to service assertion
© 2007 Open Grid Forum 9 LoA attributes Identity vetting/proofing Credential issuance Certification Authority (CA) Credential types Biometrics, PKI credentials, username/password pairs, One-time password, proxy credentials Key stores Soft token (desktop key store), Hard token (smartcard key store), Secure coprocessor, online credential repository (myproxy or virtual smartcard) Credential strengths Password entropy: password space, password length, mixed use of lower/upper case, digits, etc, not dictionary words, validity duration PKI credential strength: key size, algorithm, validity duration Proxy credential strength: validity duration, depth of delegation Assertion message reliability Validity duration How attributes are stored and managed – procedures and policies are required to govern these Signature strength: signature key size, signature algorithm, hash function strength How assertion messages are conveyed Reliable source of time
© 2007 Open Grid Forum 10 AuthN Usecase - 1 User to Service direct authN using ID credentials LoA attributes Token type (key storage), credential strength, authentication protocols, message level or transport level Grid Services User Authenticate and access services using end-entitys credential, e.g. username/password Message level or transport level (SSL)
© 2007 Open Grid Forum 11 AuthN Usecase - 2 Authenticate using end-entitys proxy credential stored locally How proxy is activated (activating token type and strength), where the proxy is stored (key store) Proxy credential strength (key size, and delegation depth) Grid Services User Client Authentication using proxy User local authN to activate the proxy credential
© 2007 Open Grid Forum 12 AuthN Usecase - 3 Online Credential Repository (OCR) Grid Services Client Proxy credential sent by Client Proxy credential sent from OCR Client-to-RP authN and proxy credential retrieval User Long term credential
© 2007 Open Grid Forum 13 AuthN Usecase - 3 End-entity to OCR authN: All the attributes defined for {AuthN Usecase -1} apply here OCRs assurance level Client to Service authN using proxy, or Service fetches proxy directly from OCR Proxy strength Delegation depth Accompanying intermediarys credential? Proxy transmission channel security strength Method/algorithm is required to calculate the overall LoA?
© 2007 Open Grid Forum 14 AuthN Usecase - 4 IdP Grid Services Client Users ID/attribute assertions End entity authentication with IdP Attributes Authority
© 2007 Open Grid Forum 15 AuthN Usecase - 4 End-entity to IdP authN: {AuthN Usecase – 1} IdP trust level = accredited with what level (dictated by procedures and policy)? How attributes are stored and protected at the IdP (i.e. IdPs assurance level) Signed and stored, or bare attributes? How assertion messages are conveyed? Message level or over SSL Assertion message security strength Signature key strength, Signature key storage, signature algorithm ID/strength, and hash function strength Method/algorithm is required to calculate the overall LoA?
© 2007 Open Grid Forum 16 Acknowledgements + Survey Thank David Groep and Blair Dillaway for their contributions to the Charter Thank Yao Li, the University of Manchester, for his work on authentication usecase models LoA survey available at: loa.org/outputhttp:// loa.org/output
© 2007 Open Grid Forum 17 OGF IPR Policies Apply I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy. Intellectual Property Notices Note Well: All statements related to the activities of the OGF and addressed to the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to: the OGF plenary session, any OGF working group or portion thereof, the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, the ADCOM, or any member thereof on behalf of the ADCOM, any OGF mailing list, including any group list, or any other list functioning under OGF auspices, the OGF Editor or the document authoring and review process Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions. Excerpt from Appendix B of GFD-C.1: Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non- discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification. OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.
© 2007 Open Grid Forum 18 Full Copyright Notice Copyright (C) Open Grid Forum (applicable years). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. The limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.