Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1.

Published byDouglas Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1."— Presentation transcript:

1 Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1

2 Orthogonal Steps Towards Basic Interoperability (1) Profile the syntax of simple "request" and "request-response" message exchange patterns Place to “hang hat on” regarding details of SSL/TLS, SOAP over HTTP Nail down token types and formats (e.g., X.509 proxy certificates, X.509 attribute certificates, SAML attribute assertions, etc.) (2) Profile mechanisms for token acquisition, token exchange, key distribution, etc. Consider authorization services, delegation protocols, etc. E.g., VOMS, WS-Trust STSs, MyProxy, etc. (3) Profile mechanisms for the distribution of endpoint metadata Directory and discovery services (e.g., LDAP, RNS, email, carrier pigeon) (4) Profile mechanisms by which roots-of-trust are brokered amongst communicating parties. Certificate and attribute authorities, trust stores, CRLs, etc. (5) Profile authorization mechanisms. Out-of-scope in a “push-style” model.

3 Step 1: Simple Message Communication: The “PGI_COMM” Profile 1. 1. Foundational conformance: PGI_HTTPS SOAP-over-HTTP communication using a SSL/TLS transport protocol Endpoints are mutually authenticated by X.509 end-entity public key certificates (PKCs). 2. 2. Supplemental conformance: PGI_TLS_PROXY SSL/TLS authentication of X.509 proxy certificates (PCs) PCs can optionally convey X.509 attribute certificates (ACs) regarding aspects of VO membership Derives foundational requirements from PGI_HTTPS. PGI_SOAP_SAML SOAP-level conveyance of SAML attributes regarding aspects of VO membership Derives foundational requirements from PGI_HTTPS 3. 3. Conveyance of PGI_COMM conformance: Embed security policy URIs within WS-Addressing EPRs Conveys communication requirements for a given resource Endpoint(s), required token types, security actions, protocols, etc.

4 PGI_HTTPS Place to “hang our hat on” regarding fundamental protocols: SOAP over TLS Inherit from WS-I BP, WS-I BSP profiles Require mutual-authentication Specify protocol versions SSL v3.0, TLS v1.0, or higher. Mandate a minimum set of supported ciphersuites

5 PGI_TLS_PROXY SSL/TLS authentication of X.509 proxy certificates (PCs) potentially conveying X.509 attribute certificates (ACs): Leverage RFC 3820 (GSI) X.509 Proxy Certificates Leverage VOMS-style of restricted X.509 Attribute Certificate format FQAN syntax for expressing groups/roles (“/campus-grid”, “/campus- grid/students”, “/campus-grid/Role=VO-Admin” Borrow VOMS-style of embedding ACs within PCs Use their extension (and OID) Clarifications/requirements Proxy certificate chain verification Coupled with AC verification Support for WS-Naming EPIs to identify “target” resources where a given ACs is applicable

6 PGI_SOAP_SAML SOAP-level conveyance of SAML attributes regarding aspects of VO membership: Leverage SAML 2.0 signed attribute assertions Clarifications for attachment Requirement and clarifications for “holder-of-key” subject confirmation Requirement for attribute-issuer signature Authenticates the issuer Protects the attribute Support for WS-Naming EPIs to identify “target” resources where a given attribute is applicable Profile “FQAN Attribute” for representation of VOMS-style groups and roles in the compact-FQAN syntax

7 Secure Endpoint References (EPRs) Reference conformance using policy-reference URIs: PGI_HTTPS: “ http://www.ogf.org/pgi/2009/03/pgi-https ” http://www.ogf.org/pgi/2009/03/pgi-https PGI_TLS_PROXY (subsumes PGI_HTTPS) : “ http://www.ogf.org/pgi/2009/03/pgi-tls-proxy ” http://www.ogf.org/pgi/2009/03/pgi-tls-proxy PGI_SOAP_SAML (subsumes PGI_HTTPS): http://www.ogf.org/pgi/2009/03/pgi-soap-saml Supplement with the VO domain(s) within which a resource participates HTTPS only allows authentication of a single certificate, which is issued by a single authority VO-discovery empowers clients to select/acquire an appropriate certificate (and attributes)

8 EPR Example (01) (02) (03) http://www.example.org/some/path (04) (05) (06)... (07) (08) (09) (10) (11) (12) (13) (14) urn:wsaaction:* (15) (16) (17) urn:virtual-organization:campusgrid (18) urn:virtual-organization:sciencegrid (19) (20) (21) (22) (23) (24) http://www.ogf.org/pgi/2009/03/pgi_tls_proxy (25) (26) (27) (28) (29) (30)... (31) (32)... (33)

Download ppt "Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1."

Similar presentations

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris

Similar presentations

Ads by Google