1 / 26

Security OGSA-WG Dec. '03 F2F Meeting @ ANL

Security OGSA-WG Dec. '03 F2F Meeting @ ANL. Takuya Mori <moritaku@bx.jp.nec.com> NEC Corporation. Contents. The specifications in the "OGSA-Sec Roadmap" and status of Working Groups OGSA Security Services Specifications to be defined.

winka
Download Presentation

Security OGSA-WG Dec. '03 F2F Meeting @ ANL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecurityOGSA-WG Dec. '03 F2F Meeting @ ANL Takuya Mori<moritaku@bx.jp.nec.com> NEC Corporation

  2. Contents • The specifications in the "OGSA-Sec Roadmap" and status of Working Groups • OGSA Security Services • Specifications to be defined

  3. The specifications in the "OGSA-Sec Roadmap" and status of Working Groups

  4. Naming

  5. Translating between Security Realms

  6. Authentication / Session Security / Authorization

  7. Authorization, Trust and Privacy Policy Management

  8. VO Policy Management / Delagation / Firewall "Friendly"

  9. Security Policy Expression and Exchange / Secure Service Operation / Audit and Secure Logging

  10. OGSA Security Services

  11. Goal Authorization Virtual Organization Service a Service b service request Attribute Assertion Authentication Delegation Authentication

  12. Applications: Service a Service b service request Virtual Organization

  13. Described in OGSA Discussed in OGSA-AuthZ-WG Missing in OGSA or OGSA-AuthZ Security Services Applications: Service a Service b service request service request Real Organization 1 Real Organization 2 Distributed Logging Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Trust Authentication Trust Security Services: Virtual Organization Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service VO Policy Service Policy Mapping Service Underlying SecurityLayers: Security Policy (QoP) Exchange & Expression Session Security (based on WS-SecureConversation) Message Security (based on WS-Security) Naming Stuff

  14. Authentication GS GS (1) service request Identity Credential Real Organization 1 Real Organization 2 (2) request credential validation to get an identity of the requestor Distributed Logging Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Service Trust Service Authentication Service Trust Service Virtual Organization (3) check for the trust relationship (4) identity mapping Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service VO Policy Service Policy Mapping Service Session Security (based on WS-SecureConversation)

  15. Authorization (1) GS GS (2) service request (1) gets an attribute assertion Attribute Assertion Real Organization 1 Real Organization 2 (3) asks for an authorization decision Distributed Logging Distributed Logging * Decisions are made based on policies and attributes Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement Authentication Service Trust Service Authentication Service Trust Service (4) attribute and policy mapping Virtual Organization Federation Services VO Management Services Identity / Attribute Mapping Service VO Membership Service Attribute Authority VO Policy Service Policy Authority Policy Mapping Service

  16. Authorization (2) (2) request credential validation to get an identity of the requestor GS • Prerequisite:The requestor has been identified GS (1) ask for an authorization decision Real Organization 1 Real Organization 2 * Decisions are made based on policies and attributes Distributed Logging (2) checks for the VO membershipand the policy for the requestor Distributed Logging Authorization Privacy Authorization Privacy Attribute Policy and Agreement Attribute Policy and Agreement (3) or check for some local attributes Authentication Service Trust Service Authentication Service Trust Service Virtual Organization Federation Services VO Management Services Policy Mapping Service VO Membership Service Identity / Attribute Mapping Service Attribute Authority VO Policy Service Policy Authority

  17. VO Security Services • VO Management Services • Referred in the subsection 6.2 of OGSA document • VO Membership Service • Manages VO membership (users, resources, authorities, and ...) • Issues membership attribute assertions • It means VO Membership Service is a kind of attribute service. • VO Policy Service • VO-wide policy service (possible policies include authorization policy, trust policy, and privacy policy) • Federation Services • Missing parts in OGSA document • Identity / Attribute Mapping Service • Converts identity or attribute assertions of a domain into those of another domain • Policy Mapping Service • Converts policies of a domain into those of another domain

  18. Security Services • Distributed Logging • Described in the subsection 6.13 of OGSA document • Policy and Agreement • Described in the subsection 6.16 of OGSA document • Authorization Service • Discussed in OGSA-AuthZ-WG,but not in OGSA document

  19. Security Services (Contd.) • Attribute Service • (Will be) discussed in OGSA-AuthZ-WG • Not described in OGSA document now • Issues an attribute assertion that is used for various policy decisions • Authentication Service (Credential Validation) • Not described in OGSA document • Validates a credential and identifies a requestor • Support for PKI and Kerberos is mandatory • Privacy Service • Not described in OGSA document • Manages privacy policy on both ends. It can be used to declare privacy information usage and to request preference for privacy information handling. • Trust Service • Not described in OGSA document • Manages trust policy whether does a party trust an assertion authority or not, and makes decisions based on these policies

  20. What's Next • Find out if the services listed in this slides are enough or not • Start describing security services into OGSA document • Prioritize specifications and activate OGSA-SEC-WG to start discussion. • Prioritizing example • High • VO Management • Authentication • Policy and Agreements • Middle • Federation Services • Trust • Low • Privacy

  21. Specifications to be defined

  22. Fundamental Specifications

  23. Authentication

  24. OGSA-AuthZ Specifications

  25. Federation Services

  26. Others (will be discussed in the future?)

More Related