Server to Server Group Requirements Simplifying key management between multiple vendor implementations.

Slides:

Advertisements

Similar presentations

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development

Advertisements

Naming, Addressing, & Discovery

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

Access Control Methodologies

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

Active Directory: Final Solution to Enterprise System Integration

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

System Concepts and Architecture Rose-Hulman Institute of Technology Curt Clifton.

CS603 Active Directory February 1, 2001.

Introduction To Windows NT ® Server And Internet Information Server.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ISO 9001:2015 Revision overview - General users

Global MP3 Presented by the Chatterbox Group. Overview GlobalMP3 – developing a portable MP3 radio service Streaming MP3’s to clients – basically speakers.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Entity-Relationship modeling Transparencies

Entity-Relationship Modeling I The cautious seldom err. Confucius.

Resolving Unique and Persistent Identifiers for Digital Objects Why Worry About Identifiers? Individuals and organizations, including governments and businesses,

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Digital Object Architecture

Introduction to Databases A line manager asks, “If data unorganized is like matter unorganized and God created the heavens and earth in six days, how come.

9/10/2012ISC 329 Isabelle Bichindaritz1 Entity Relationship (E-R) Modeling.

SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.

Building Relationships

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

REST - Introduction Based on material from InfoQ.com (Stefan Tilkov) And slides from MindTouch.com (Steve Bjorg) 1.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Principles of Information Systems, Sixth Edition Systems Investigation and Analysis Chapter 12.

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

1 System Analysis and Design Using UML INSTRUCTOR: Jesmin Akhter Lecturer, IIT, JU.

1 NIST Key State Models SP Part 1SP (Draft)

Object-Oriented Analysis and Design CHAPTERS 9, 31: DOMAIN MODELS 1.

Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Distributed File Systems 11.2Process SaiRaj Bharath Yalamanchili.

1 Database Systems Entity Relationship (E-R) Modeling.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Namespaces cs3353. Namespace Domain A computer system namespace domain is created and maintained to: –standardize the policy for names –prevent name collisions.

1 The importance of Team Working and Personal Attributes.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Module 8: Planning for Windows Server 2008 Active Directory Services.

© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.

KMIP PKCS#12 February 2014 Tim Hudson – 1.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.

 XML derives its strength from a variety of supporting technologies.  Structure and data types: When using XML to exchange data among clients, partners,

UML Fundamental Elements. Structural Elements Represent abstractions in our system. Elements that encapsulate the system's set of behaviors. Structural.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Chapter 11: Abstract Data Types Lecture # 17. Chapter 11 Topics The Concept of Abstraction Advantages of Abstract Data Types Design Issues for Abstract.

Carrier/Infrastructure ENUM Requirements draft-lind-infrastructure-enum-reqs-01.

KMIP Client Registration Ideas for Discussion

KMIP Entity Object and Client Registration

SAMANVITHA RAMAYANAM 18TH FEBRUARY 2010 CPE 691

Microsoft Virtual Academy

Presentation transcript:

Server to Server Group Requirements Simplifying key management between multiple vendor implementations

(Re)Defining a Group What a group should be – A collection of common entities, objects or other groups Should not be more than two or possibly three groups deep (complexity) A group should not be – A container for multiple types of entities and objects If a group contains other groups it cannot contain entities or objects – e.g. Homogeneity Group 1 Group 3Group 2 Group 4

Groups as Containers Group of Entities – Contains one or more like entities that use a common set of objects Like = same attributes, crypto capability, etc… (Read as homogenous) Group of Objects (keys, certificates, etc…) – A set of like objects that can then be bound to or accessed by a – Consideration of a Policy object for server to server may be needed if messaging isn’t enough (use case anyone?) Group of Groups – A group that contains one or more groups Including one or more entity groups, objects & users – How deep groups can go needs to be seriously looked at Group within a group, within a bigger group, ad infinitum Group of Users – Access control for users when external authentication is used in multivendor environments – Defined by KMIP? This would be an example of a potential “other” group category that would not be extended from one vendor server to another other than in a system that uses role based management – Bob L.’s personal opinion is no…

Group Purposes Access Control – Using two levels allows one or more group of entities to map to one or more groups of objects – Provides a common definition between vendors for server to server access control implementation without restricting a vendor’s capabilities to perform access control Ownership – A primary group owns one or more entities, objects or “other” All entities will have a single primary group All objects will have two groups, a group for the individual object and a group of common objects (e.g. AES256 keys, certificates, etc…) – Takes ownership away from devices that can be temporary or long lived but that may not live as long as the keys they access and use Destroying entities doesn’t impact objects if they don’t own the objects to begin with

Questions to Consider Do clients care about Groups? – Is there a reason or use case? Does it make sense to have more than two layers of groups? – Is there a use case where a common set of keys are accessed by different device types that would require this – What kind of access control issues arise with more than two layers of groups – If not two what is a good limit that can be set for server to server instances Is there a good reason to go beyond three layers? Do groups play a part in a global namespace for server to server? – A question to be asked if a model such as URI is used for global key naming How do you resolve policy conflict between server implementations? – Should we stay away from it and let the vendor handle it who makes the call on policy for a given instance? Are there any looming conflicts?