[Pgi-wg] PGi Transport Level Security Profile proposal

Duane Merrill dgm4d at virginia.edu
Thu Mar 5 01:28:20 CST 2009 

Morris, that looks like a great start on a specification/profile for a
delegation protocol to be used for acquiring credentials (i.e., X.509 proxy
certificates).

Revisiting our earlier telecon in which we discussed "separation of
concerns", Andrew and I suggest that we address our (relatively orthogonal)
security issues individually, in stages:

   1. *Profile the security mechanisms that affect the wire and message
   format of simple "request" and "request-response" message exchange
patterns.
   *This would entail providing ourselves with "a place to hang our hat on"
   regarding even simple interoperability issues, such as various aspects of
   SSL/TLS and SOAP.  This step would also include the profiling of secure
   communication mechanisms that affect simple messages (e.g., required
   token types, cryptographic actions, protocols, etc.).  This is the scope in
   which we would want to describe our two conformance targets, allowing us to
   profile technologies like X.509 proxy certificates (and how they may
   encapsulate X.509 attribute certificates), SAML attribute assertions, and
   nail down a format in which these two types of attributes can describe
   aspects of virtual organization membership.  Andrew and I have put together
   a rough sketch at what something like this might look like (*see attached
   *).
   2. *Profile mechansisms for token acquisition, token exchange, key
   distribution, etc*.  This is where your efforts above fit in: the
   protocols by which endpoints can obtain proxy certificates for delegation.
   This would also be a place where we can nail down authentication and
   single-sign-on services (e.g., WS-Trust, VOMS, MyProxy, etc.).
   3. *Profile mechanisms for the distribution of endpoint metadata.*  This
   would answer questions such as "*Where do I go to find certain types of
   resources?*" and "*How can I obtain information that tells me how to
   interact with a given resource?*".  This is where we can nail down
   aspects of varous types of directory and discovery services (e.g., LDAP,
   RNS, etc.).
   4. *Profile mechanisms by which roots-of-trust are brokered amongst
   communicating parties.*  The establishment of trust relationships amongst
   virtual organization participants is a prerequisite for multi-domain
   authentication and authorization schemes.

There is one more security-related concern: *Mechanisms for authorization.
*Fortunately we have primarily been discussing a "push-style" of
credentially (as opposed to "pull" or "agent" models), which should allow us
to treat the decision-making process in which application-layer actions are
authorized as being as out-of-scope.

I've put together a strawman for (1) above, see attached.

-Duane



On Wed, Mar 4, 2009 at 5:08 PM, Moreno Marzolla
<moreno.marzolla at pd.infn.it>wrote:

> Dear all,
>
> I just uploaded to gridforge:
>
> http://forge.gridforum.org/sf/go/doc15549?nav=1
>
> a very early draft for a proposal of a "PGI Transport Level Security
> profile", which uses X509 proxy certificates + a delegation port-type
> for authentication and credential delegation.
>
> At the moment the document just states what has already be said during
> the PGI teleconferences. I hope it will be useful for tomorrow
> discussion at OGF, and eventually evolve in the near future into a full
> specification (which at the moment is definitely not).
>
> Moreno.
>
> --
> Moreno Marzolla
> INFN Sezione di Padova,    via Marzolo 8,   35131 PADOVA,  Italy
> EMail: moreno.marzolla at pd.infn.it         Phone: +39 049 8277047
> WWW  : http://www.dsi.unive.it/~marzolla  Fax  : +39 049 8756233
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090305/c0e6b67a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGI_Secure_Communication_Strawman 0.2.doc
Type: application/msword
Size: 119808 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090305/c0e6b67a/attachment-0001.doc

More information about the Pgi-wg mailing list