[Pgi-wg] PGi Transport Level Security Profile proposal
Duane Merrill
dgm4d at virginia.edu
Thu Mar 5 01:28:20 CST 2009
Morris, that looks like a great start on a specification/profile for a
delegation protocol to be used for acquiring credentials (i.e., X.509 proxy
certificates).
Revisiting our earlier telecon in which we discussed "separation of
concerns", Andrew and I suggest that we address our (relatively orthogonal)
security issues individually, in stages:
1. *Profile the security mechanisms that affect the wire and message
format of simple "request" and "request-response" message exchange
patterns.
*This would entail providing ourselves with "a place to hang our hat on"
regarding even simple interoperability issues, such as various aspects of
SSL/TLS and SOAP. This step would also include the profiling of secure
communication mechanisms that affect simple messages (e.g., required
token types, cryptographic actions, protocols, etc.). This is the scope in
which we would want to describe our two conformance targets, allowing us to
profile technologies like X.509 proxy certificates (and how they may
encapsulate X.509 attribute certificates), SAML attribute assertions, and
nail down a format in which these two types of attributes can describe
aspects of virtual organization membership. Andrew and I have put together
a rough sketch at what something like this might look like (*see attached
*).
2. *Profile mechansisms for token acquisition, token exchange, key
distribution, etc*. This is where your efforts above fit in: the
protocols by which endpoints can obtain proxy certificates for delegation.
This would also be a place where we can nail down authentication and
single-sign-on services (e.g., WS-Trust, VOMS, MyProxy, etc.).
3. *Profile mechanisms for the distribution of endpoint metadata.* This
would answer questions such as "*Where do I go to find certain types of
resources?*" and "*How can I obtain information that tells me how to
interact with a given resource?*". This is where we can nail down
aspects of varous types of directory and discovery services (e.g., LDAP,
RNS, etc.).
4. *Profile mechanisms by which roots-of-trust are brokered amongst
communicating parties.* The establishment of trust relationships amongst
virtual organization participants is a prerequisite for multi-domain
authentication and authorization schemes.
There is one more security-related concern: *Mechanisms for authorization.
*Fortunately we have primarily been discussing a "push-style" of
credentially (as opposed to "pull" or "agent" models), which should allow us
to treat the decision-making process in which application-layer actions are
authorized as being as out-of-scope.
I've put together a strawman for (1) above, see attached.
-Duane
On Wed, Mar 4, 2009 at 5:08 PM, Moreno Marzolla
<moreno.marzolla at pd.infn.it>wrote:
> Dear all,
>
> I just uploaded to gridforge:
>
> http://forge.gridforum.org/sf/go/doc15549?nav=1
>
> a very early draft for a proposal of a "PGI Transport Level Security
> profile", which uses X509 proxy certificates + a delegation port-type
> for authentication and credential delegation.
>
> At the moment the document just states what has already be said during
> the PGI teleconferences. I hope it will be useful for tomorrow
> discussion at OGF, and eventually evolve in the near future into a full
> specification (which at the moment is definitely not).
>
> Moreno.
>
> --
> Moreno Marzolla
> INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy
> EMail: moreno.marzolla at pd.infn.it Phone: +39 049 8277047
> WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090305/c0e6b67a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGI_Secure_Communication_Strawman 0.2.doc
Type: application/msword
Size: 119808 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090305/c0e6b67a/attachment-0001.doc
More information about the Pgi-wg
mailing list