GWS-WG agenda and meeting goals Agenda Summary of reference implementations VOStore progress VOStore issues and plans –How to reconcile VOStore and VOSpace?

Slides:

Advertisements

Similar presentations

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

Advertisements

GWS-WG results, Victoria Interop, May 2006 Slide 1 GWS-WG results IVOA Interop meeting, Victoria BC, May 2006.

IVOA Interop, May 2006 Slide 1 GWS-WG agenda and goals.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

GWS Status Recommendations: –None since Cambridge Proposed Recommendations: –None since Cambridge Working Drafts: –VOSpace 1.1* Internal Drafts: –VO-WS-Basic.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

VOStore meetings, Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

September 13, 2004NVO Summer School1 VO Protocols Overview Tom McGlynn NASA/GSFC T HE US N ATIONAL V IRTUAL O BSERVATORY.

Federated Identity for Grid Architects Tom Scavo NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

GT 4 Security Goals & Plans Sam Meder

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

MyProxy: A Multi-Purpose Grid Authentication Service

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

The EC PERMIS Project David Chadwick

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

WebFTS as a first WLCG/HEP FIM pilot

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids Desktop Grids Desktop Grids EDGeS project EDGeS project.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

Grid Authorization Landscape and Futures Von Welch NCSA

OSG AuthZ components Dane Skow Gabriele Carcassi.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

AstroGrid consortium meeting, December 2005 Slide 1 Architecture review Guy Rixon AstroGrid consortium meeting Jodrell Bank, December 2005.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Authentication, Authorisation and Security

OGF PGI – EDGI Security Use Case and Requirements

HMA Identity Management Status

Patricia Méndez Lorenzo ALICE Offline Week CERN, 13th July 2007

Tweaking the Certificate Lifecycle for the UK eScience CA

GWS-WG: summary and objectives

Grid Security Jinny Chien Academia Sinica Grid Computing.

Update on EDG Security (VOMS)

Implementing VOSpace 1.0 without Axis

Presentation transcript:

GWS-WG agenda and meeting goals Agenda Summary of reference implementations VOStore progress VOStore issues and plans –How to reconcile VOStore and VOSpace? –Does the DIME attachment method really work? VO basic profile Security progress –NVO progress (M. Graham: presentation) –EuroVO progressEuroVO Security issues –Updated thoughts on certificate authorities –How to encode group attributes? –Details of delegation interface. –What community services do we need? Presentation: Italian work with Grid Universal Worker Service: needed by other groups? –Theory group –NVO/opticon s/w environment

Reference implementations VOSI –Caltech –JHU? –(AstroGrid) VOStore –AstroGrid –Caltech –ESO –JHU SSO –JHU –NCSA (including community services) –ESO –AstroGrid Any others?

VOStore/VOSpace issue Original plan: VOStore in 2005; VOSpace later –=> independently accessible VOStore –=> more function in VOStore than needed with VOSpace –=> allows v1.0 PR ~ December 2005 Do we still want to do this? –Could we delay VOStore to wait for VOSpace? How much function does VOStore need to be independent? –How to handle naming of files? –Can we handle file sharing? –Can we handle groups?

VOStore DIME issue VOStore v0.18 says DIME is mandatory DIME implementations suck DIME is obsolete anyway (c.f. MTOM) Do we want to keep DIME in VOStore? If not, what replaces it?

Security components Community services Credential cache Client application A SOAP Service MyProxySAML LocalProxy Digital Signature Delegation Another SOAP Service Delegation An HTTPS service TLS

Security issues: group attributes Several ways to encode “user x belongs to group y”: –SAML attributes in SOAP header (“push”) –SAML authority service in community (“pull”) –SAML in user id certificate (“push”) –Extra attribute certificates (“push” or “pull”) –Any others? Which? Can we defer the decision until SSO v2?

Security issues: community services What services are to be IVOA standard? MyProxy SAML? Standard sign-on service? –UI, so need not be fully standard

Security issues: CAs EuroVO CA ESA CA Sign VO service ESA user Grid service Grid CA Sign VO service ESA user Grid service

Security issues: delegation Need delegation interface on SOAP services. –Delegating client signs proxy credential for service receiving delegation –One SOAP method to get unsigned credential –Another SOAP method to send signed credential –Precedes secured method(s) –OK? Similar with HTTPS –OK?