Download presentation
Presentation is loading. Please wait.
Published byDouglas Cunningham Modified over 8 years ago
1
Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1
2
Orthogonal Steps Towards Basic Interoperability (1) Profile the syntax of simple "request" and "request-response" message exchange patterns Place to “hang hat on” regarding details of SSL/TLS, SOAP over HTTP Nail down token types and formats (e.g., X.509 proxy certificates, X.509 attribute certificates, SAML attribute assertions, etc.) (2) Profile mechanisms for token acquisition, token exchange, key distribution, etc. Consider authorization services, delegation protocols, etc. E.g., VOMS, WS-Trust STSs, MyProxy, etc. (3) Profile mechanisms for the distribution of endpoint metadata Directory and discovery services (e.g., LDAP, RNS, email, carrier pigeon) (4) Profile mechanisms by which roots-of-trust are brokered amongst communicating parties. Certificate and attribute authorities, trust stores, CRLs, etc. (5) Profile authorization mechanisms. Out-of-scope in a “push-style” model.
3
Step 1: Simple Message Communication: The “PGI_COMM” Profile 1. 1. Foundational conformance: PGI_HTTPS SOAP-over-HTTP communication using a SSL/TLS transport protocol Endpoints are mutually authenticated by X.509 end-entity public key certificates (PKCs). 2. 2. Supplemental conformance: PGI_TLS_PROXY SSL/TLS authentication of X.509 proxy certificates (PCs) PCs can optionally convey X.509 attribute certificates (ACs) regarding aspects of VO membership Derives foundational requirements from PGI_HTTPS. PGI_SOAP_SAML SOAP-level conveyance of SAML attributes regarding aspects of VO membership Derives foundational requirements from PGI_HTTPS 3. 3. Conveyance of PGI_COMM conformance: Embed security policy URIs within WS-Addressing EPRs Conveys communication requirements for a given resource Endpoint(s), required token types, security actions, protocols, etc.
4
PGI_HTTPS Place to “hang our hat on” regarding fundamental protocols: SOAP over TLS Inherit from WS-I BP, WS-I BSP profiles Require mutual-authentication Specify protocol versions SSL v3.0, TLS v1.0, or higher. Mandate a minimum set of supported ciphersuites
5
PGI_TLS_PROXY SSL/TLS authentication of X.509 proxy certificates (PCs) potentially conveying X.509 attribute certificates (ACs): Leverage RFC 3820 (GSI) X.509 Proxy Certificates Leverage VOMS-style of restricted X.509 Attribute Certificate format FQAN syntax for expressing groups/roles (“/campus-grid”, “/campus- grid/students”, “/campus-grid/Role=VO-Admin” Borrow VOMS-style of embedding ACs within PCs Use their extension (and OID) Clarifications/requirements Proxy certificate chain verification Coupled with AC verification Support for WS-Naming EPIs to identify “target” resources where a given ACs is applicable
6
PGI_SOAP_SAML SOAP-level conveyance of SAML attributes regarding aspects of VO membership: Leverage SAML 2.0 signed attribute assertions Clarifications for attachment Requirement and clarifications for “holder-of-key” subject confirmation Requirement for attribute-issuer signature Authenticates the issuer Protects the attribute Support for WS-Naming EPIs to identify “target” resources where a given attribute is applicable Profile “FQAN Attribute” for representation of VOMS-style groups and roles in the compact-FQAN syntax
7
Secure Endpoint References (EPRs) Reference conformance using policy-reference URIs: PGI_HTTPS: “ http://www.ogf.org/pgi/2009/03/pgi-https ” http://www.ogf.org/pgi/2009/03/pgi-https PGI_TLS_PROXY (subsumes PGI_HTTPS) : “ http://www.ogf.org/pgi/2009/03/pgi-tls-proxy ” http://www.ogf.org/pgi/2009/03/pgi-tls-proxy PGI_SOAP_SAML (subsumes PGI_HTTPS): http://www.ogf.org/pgi/2009/03/pgi-soap-saml Supplement with the VO domain(s) within which a resource participates HTTPS only allows authentication of a single certificate, which is issued by a single authority VO-discovery empowers clients to select/acquire an appropriate certificate (and attributes)
8
EPR Example (01) (02) (03) http://www.example.org/some/path (04) (05) (06)... (07) (08) (09) (10) (11) (12) (13) (14) urn:wsaaction:* (15) (16) (17) urn:virtual-organization:campusgrid (18) urn:virtual-organization:sciencegrid (19) (20) (21) (22) (23) (24) http://www.ogf.org/pgi/2009/03/pgi_tls_proxy (25) (26) (27) (28) (29) (30)... (31) (32)... (33)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.