260 likes | 373 Views
Security OGSA-WG Dec. '03 F2F Meeting @ ANL. Takuya Mori <moritaku@bx.jp.nec.com> NEC Corporation. Contents. The specifications in the "OGSA-Sec Roadmap" and status of Working Groups OGSA Security Services Specifications to be defined.
E N D
SecurityOGSA-WG Dec. '03 F2F Meeting @ ANL Takuya Mori<moritaku@bx.jp.nec.com> NEC Corporation
Contents • The specifications in the "OGSA-Sec Roadmap" and status of Working Groups • OGSA Security Services • Specifications to be defined
The specifications in the "OGSA-Sec Roadmap" and status of Working Groups
Security Policy Expression and Exchange / Secure Service Operation / Audit and Secure Logging
Goal Authorization Virtual Organization Service a Service b service request Attribute Assertion Authentication Delegation Authentication
Applications: Service a Service b service request Virtual Organization
Described in OGSA Discussed in OGSA-AuthZ-WG Missing in OGSA or OGSA-AuthZ Security Services Applications: Service a Service b service request service request Real Organization 1 Real Organization 2 Distributed Logging Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Trust Authentication Trust Security Services: Virtual Organization Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service VO Policy Service Policy Mapping Service Underlying SecurityLayers: Security Policy (QoP) Exchange & Expression Session Security (based on WS-SecureConversation) Message Security (based on WS-Security) Naming Stuff
Authentication GS GS (1) service request Identity Credential Real Organization 1 Real Organization 2 (2) request credential validation to get an identity of the requestor Distributed Logging Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Service Trust Service Authentication Service Trust Service Virtual Organization (3) check for the trust relationship (4) identity mapping Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service VO Policy Service Policy Mapping Service Session Security (based on WS-SecureConversation)
Authorization (1) GS GS (2) service request (1) gets an attribute assertion Attribute Assertion Real Organization 1 Real Organization 2 (3) asks for an authorization decision Distributed Logging Distributed Logging * Decisions are made based on policies and attributes Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Service Trust Service Authentication Service Trust Service (4) attribute and policy mapping Virtual Organization Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service Attribute Authority VO Policy Service Policy Authority Policy Mapping Service
Authorization (2) (2) request credential validation to get an identity of the requestor GS • Prerequisite:The requestor has been identified GS (1) ask for an authorization decision Real Organization 1 Real Organization 2 * Decisions are made based on policies and attributes Distributed Logging (2) checks for the VO membershipand the policy for the requestor Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement (3) or check for some local attributes Authentication Service Trust Service Authentication Service Trust Service Virtual Organization Federation Services VO Management Services Policy Mapping Service VO Membership Service Identity / Attribute Mapping Service Attribute Authority VO Policy Service Policy Authority
VO Security Services • VO Management Services • Referred in the subsection 6.2 of OGSA document • VO Membership Service • Manages VO membership (users, resources, authorities, and ...) • Issues membership attribute assertions • It means VO Membership Service is a kind of attribute service. • VO Policy Service • VO-wide policy service (possible policies include authorization policy, trust policy, and privacy policy) • Federation Services • Missing parts in OGSA document • Identity / Attribute Mapping Service • Converts identity or attribute assertions of a domain into those of another domain • Policy Mapping Service • Converts policies of a domain into those of another domain
Security Services • Distributed Logging • Described in the subsection 6.13 of OGSA document • Policy and Agreement • Described in the subsection 6.16 of OGSA document • Authorization Service • Discussed in OGSA-AuthZ-WG,but not in OGSA document
Security Services (Contd.) • Attribute Service • (Will be) discussed in OGSA-AuthZ-WG • Not described in OGSA document now • Issues an attribute assertion that is used for various policy decisions • Authentication Service (Credential Validation) • Not described in OGSA document • Validates a credential and identifies a requestor • Support for PKI and Kerberos is mandatory • Privacy Service • Not described in OGSA document • Manages privacy policy on both ends. It can be used to declare privacy information usage and to request preference for privacy information handling. • Trust Service • Not described in OGSA document • Manages trust policy whether does a party trust an assertion authority or not, and makes decisions based on these policies
What's Next • Find out if the services listed in this slides are enough or not • Start describing security services into OGSA document • Prioritize specifications and activate OGSA-SEC-WG to start discussion. • Prioritizing example • High • VO Management • Authentication • Policy and Agreements • Middle • Federation Services • Trust • Low • Privacy