[Pgi-wg] Discussion about elements/priorities in the field of security

Tue Mar 17 09:31:14 CDT 2009

hi,
Thanks for throwing out those points.

2009/3/17 Morris Riedel <m.riedel at fz-juelich.de>

> Hi PGI security folks,
>
>
>  currently I see five major elements in terms of security related to PGI:
>
>
> (1)
> Authentication/Attribute-based Authorization (i.e. plumbings as named
> earlier), maybe first push-based before looking at pull-based models -
> although, this of course, can be discussed as well among us.

If we are talking about attributes carried inside SAML assetion, getting the
attributes from attribute authority is not a challenge, for instance we can
use the VOMS SAML service (client gets back SAML assertion that including
attributes through SSL authentication with VOMS SAML service) as a
candidate. But how to push the SAML assertion from client side to service
side could be a challenge (for which voms has not provided solution, IMO).
I can see two ways:  one ways is put the SAML assertion into X.509 proxy
certificate's extension, by which you can gurantee that the attributes
information is binded with SSL authentication;
the other way is to put SAML assertion in the SOAP header, which furtherly
cause two branches: First brach, using the SAML assertion for message (SOAP)
level authentication + attribute carraying (in this case the VOMS SAML
service should probably be improved to creat SAML response containing a
holder-of-key authentication assertion, then this assertion can be used for
message level authentication according to WS-Security SAML Token profile
1.1); Second branch, using SAML assetion only for attribute carraying (in
this case, the transport level securiry should be configured).

I heard that VOMS attribute service is used in UNICORE, could some collegues
provide some details about how the above scenario is processed?

In case of ARC, it can get back SAML assertion from VOMS SAML service, and
it can put the SAML assertion as extension of proxy certificate; It also
support WS-Security (SAML Token profile, as well as UsernameToken and X.509
Token), but how to getting a SAMLToken is lacked.

Maybe people from OGSA-AuthZ group can give some suggestions.

>
>
>
> (2)
> Agreement on Definition/Semantics/Structure of Attributes

Has the usage of SAML attribute assertion been decided?

>
>
>
> (3)
> Encoding of delegation restriction/constraints

The restriction is about what kind of policy will be used?

>
>
>
> (4)
> Interface of delegation service (maybe based on subset of WS-Trust)

>
>
>
> (5)
> Agreement on third party credentials transportation (e.g. a delegated
> GridFTP proxy/SAML assertion-based access for data-staging during BES
> submissions)
>
>
> As a starting point - have I forgot something in this enumeration? If so -
> please answer to this thread.
>
>
> In terms of priorities, I would suggest to focus first on number one, but
> of
> course feel free to comment within this thread.

Agree, IMO, the whole profile which will be adopted is mostly important.

Regards,
Weizhong

>
>
>
> Your co-chair,
> Morris
>
> P.S. I cc'ed the area director of security (David Groep) to ensure that we
> did not duplicate efforts done elsewhere (i.e. in the OGSA-AuthZ group). We
> have been in touch about a few security issues raised in GIN earlier. CIAO.
>
>
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Jülich Supercomputing Centre (JSC)
> Forschungszentrum Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
>
> Email: m.riedel at fz-juelich.de
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
>
> Skype: MorrisRiedel
>
> "We work to better ourselves, and the rest of humanity"
>
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090317/02593da0/attachment.html 