[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence

David Chadwick d.w.chadwick at kent.ac.uk
Tue Feb 6 06:46:00 CST 2007 

Hi Nate

Mapping from the identity used in authentication to the one to be used 
in authorisation is a well known problem that has been around for many 
years.

The key requirement from a security perspective is that this mapping is 
done in a secure manner, otherwise this becomes the weakest point of the 
system and the place to attack. E.g. if a simple lookup table is stored 
in a file somewhere, then all the attacker needs to do is to update this 
file and hey presto he increases his privileges instantly.

Ways to perform the mapping can be algorithmically e.g. mapping a login 
id into an email address, or via a secure lookup table, or an LDAP 
directory, or a signed certificate containing the mapping etc.

I believe that this is one of the connection points between the authn 
and authz infrastructures, and the name mapping should be modelled as a 
callable function, so that multiple different implementations can be 
plugged in underneath the interface. The interface itself could be 
implemented and standardised as a programmable API, or a security 
protocol to an external function. Either or both of these could be 
standardisation work for the OGF

regards

David






Nate Klingenstein wrote:
> OGSA-Authn BoFfers,
> 
> At our meeting in North Carolina, I flagged the translation of names  
> from the grid world to the institutional world and vice versa as  
> being an important topic for discussion in the next several months.   
> We need to begin to document current practices so that a path towards  
> convergence can be identified.
> 
> I'd like to give a brief background for those on the list who aren't  
> heavily steeped in this problem.  The various Shibboleth-grid  
> integration projects out there all want to bootstrap grid  
> authentication (and sometimes authorization) by use of institutional  
> authentication.  This authentication generally results in a unique  
> identifier for the user which differs in form from that used on the  
> grid, and potentially in semantic meaning as well.
> 
> There is a lot of different types of identifiers.  If a campus is  
> using LDAP, the user will also have a DN associated with their entry,  
> but this directory DN is rarely used as an identifier in practice and  
> usually won't correspond to those issued in x.509 certificates  
> anyway.  Local practices for primary identifier vary based on local  
> needs, and many institutions don't use LDAP at all.   
> eduPersonPrincipalName, which takes the form of name at domain, has  
> proven the most ubiquitous and successful in inter-realm deployment  
> thus far.
> 
> The critical step is translation of the identifier that results from  
> campus authentication to a grid-usable credential(and, potentially,  
> vice-versa for callbacks).  This bootstrap can be performed in many  
> ways at many different points.  Differences in practice could lead to  
> non-interoperability and general confusion for grid SP's and campus  
> IdP's alike.
> 
> There are several projects out there that have bridged this gap in  
> creative ways, such as SHEBANGS, SLCS, and GridShib.  I'd like to  
> invite each project to take some time within the next month to  
> describe in a brief document how they linked Shibboleth  
> authentication to the grid as a first step.  If there's a willingness  
> to document additional passing of authorization or attribute  
> information, I think that would be useful as well.
> 
> Cheers,
> Nate.
> _______________________________________________
> ogsa-authn-bof mailing list
> ogsa-authn-bof at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authn-bof mailing list