[Pgi-wg] OGF PGI - Security Strawman
Etienne URBAH
urbah at lal.in2p3.fr
Mon Mar 23 12:57:15 CDT 2009
To All,
I thank Duane MERRIL for his 'Profile on Secure Communication' strawman.
But, since today's mail of Vincenzo CIASCHINI asserting interoperability
between recent versions of OpenSSL and GSI, I do NOT think that
communication layers are the main isue blocking interoperability.
I propose that instead focusing on communication services, we focus on
security data defined, on security data transported, and on the
interpretation of security data by AUTHN/AUTHZ services.
So, I propose to criticize following assertions :
1) Grid Users and Certificate Authorities
-----------------------------------------
1.1) Each grid User is authenticated by a legal body (recognized by a
government).
1.2) This legal body uses a Certificate Authority to grant a (long
lived) X509 certificate to the grid User.
1.3) Each Certificate Authority is itself or is authenticated by a
self-signed Root Certificate Authority.
1.4) All such Root Certificate Authorities trust each other and
cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management
Authorities).
1.5) These 3 Policy Management Authorities trust each other and
cooperate within IGTF.
1.6) IGTF distributes the list of CA Certificates to be trusted.
1.7) Each grid Site providing grid Services to grid Users MUST install
this list of CA Certificates and keep it up to date.
1.8) Using its X509 certificate, each grid User can create at any time
a (short lived) X509 proxy with permits impersonation / delegation
during a short period.
2) Virtual Organizations
-------------------------
2.1) A Virtual Organization (VO) groups grid Users with common goals.
A VO is NOT a legal body, can NOT be a Certificate Authority, and can
NOT issue X509 certificates.
2.2) Inside DEISA, a Virtual Community also groups grid Users with
common goals. The relationships between Virtual Communities and Virtual
Organizations has to be precised by Morris RIEDEL.
2.3) Each grid User belongs to 1 ore more VO (Virtual Organization),
which grants him access rights to grid Storage and Computing Ressources.
2.4) Access rights are granted by VOs to grid Users through either :
2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy)
2.4.2) SAML assertions
3) Grid Services : Information, AUTHN, AUTHZ
----------------------------------------------
3.1) Each grid Infrastucture provides an Information Service, with
describes the Infrastructure according the the GLUE2 schema.
3.2) Each grid User can query this Information Service anonymously in
order to know which security protocol he has to use to submit requests
to grid Services.
3.3) Each grid User can directly access data hosted by grid Storage
Services. For Authentication, the grid User can present the public part
of his X509 certificate or X509 proxy. For Authorization, the grid User
can present :
3.3.1) the public part of his VOMS proxy, or
3.3.2) a bag of SAML assertions.
3.4) Each grid User can submit Jobs to grid Computing Services. If
such a Job needs access to data hosted by grid Storage Services, then
the grid User must provide a delegation token. This delegation token
can be :
3.4.1) a full VOMS proxy, or
3.4.2) a bag of SAML assertions.
4) Consequences for Interoperability
-------------------------------------
4.1) X509 proxies MUST fully comply to RFC 3820.
4.2) VOMS services, which deliver X509 proxies with VOMS extensions,
MUST fully comply to RFC 3820.
4.3) The authentication library used by grid Services MUST fully comply
to RFC 3820 (for example a recent version of OpenSLL), so that it can
accept as well X509 certificates as X509 proxies.
4.4) Each grid Site providing grid Services to grid Users MUST install
files describing VOMS authorizations and other authorizations, and keep
them up to date.
4.5) The semantics of Authorization tokens MUST be the same for all
grid Infrastructures :
4.5.1) VOMS extensions
4.5.2) Restriction attributes
4.6) The Information Service of each grid Infrastructure MUST describe,
for each grid Service, which Authorization tokens this Service
understands (potentially several) :
4.6.1) VOMS extensions
4.6.2) X509 restriction attributes
4.6.3) SAML assertions
4.7) For SAML assertions, the Information Service of each grid
Infrastructure MUST describe, for each grid Service, how they are
transported :
4.7.1) As attributes of X509 proxies
4.7.2) Inside a SOAP header
Unfinished ...
Best regards.
----------------------------------
Etienne URBAH IN2P3 - LAL
Bat 200 91898 ORSAY France
Tel: +33 1 64 46 84 87
Mob: +33 6 22 30 53 27
Skype: etienne.urbah
mailto:urbah at lal.in2p3.fr
----------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4919 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090323/e767c5ed/attachment.bin
More information about the Pgi-wg
mailing list