[Pgi-wg] OGF PGI - Security Model

Fri Mar 27 04:58:52 CDT 2009

hi folks,

2009/3/26 Morris Riedel <m.riedel at fz-juelich.de>

> Hi interop-friends,
>
>  firstly sorry again for missing the last days. I have seen many comments
> since then and unfortunately see that the different threads had been united
> again mixing things up a bit (maybe it was nevertheless useful).
>
>
> Finally Steven made a good point with 2-3 sec. models out of n^n ones.
>

>
>
> So finally we have reached to the ideas of my suggestions of having
> well-defined different security 'plumbings' (aka 2-3 well-defined security
> models). I don't care about its precise name...
>
> I just used this term 'plumbings' because it had no pre-definition in
> security, please compare the vertical lines in the interoperability
> reference model - they are just more simpler defined in terms of AUTHN and
> ATTRIBUTE-AUTHZ than the long list presented by Etienne but very much of
> its
> content is the same. I presented this since OGF23&OGF24 within GIN with the
> two ways (left AC and right SAML) and the open issues to work on, but never
> had chance to write it down in written text yet:
>
>
> http://www.ogf.org/OGF24/materials/1409/2008-09-16_GIN_SessionTwo_OGF24_Ried
> el_v1.pdf<http://www.ogf.org/OGF24/materials/1409/2008-09-16_GIN_SessionTwo_OGF24_Ried%0Ael_v1.pdf>
>
> Slide 6 and others... :-)
>
> Especially on this slide 6, even outsiders of our production Grids (like
> Chris Smith) understood the meaning of the slide and I got positive
> feedback
> on this from numerous sides.
>
>
> We all want to reach interoperability here in this group.
>
> We want to do this for certain interop applications. We shouldn't
> underestimate the power of the combination of the different security
> elements -  nailing down the currently typical ways of using TLS with
> certs,
> Attr-Authz, Attributes, Constraints/Restrictions in conjunction are already
> powerful.
>
> We will have precise PGI definition of aligning such building blocks even
> if
> there are two ways in the end - but there are less than n^n ways that are
> currently out there in the security field combining different blocks,
> profiles, etc....
>
>
> Also, what the middleware supports and what is then deployed in turn on
> particular production Grids are both different stories!
>
>
> For instance, UNICORE can be used with the proxy-style (plumbing) enabling
> interoperability with gLite, ARC, NAREGI. We have done this for many
> interop
> use cases, for instance with portals requiring proxies.
>
> However, there should be also another full X.509 (plumbing) available where
> other common approaches can be used and then expressed correctly via GLUE
> in
> interops as well used other infrastructures with different policies. I even
> foresee that there could be used more than one plumbing in parallel.
>

Again, I don't see it is reasonable to put the support of proxy and full
X.509 ("support" here means the verification of credential during the
processing of TLS/SSL) in parallel.
If the middleware supports proxy, then with no doubt it implicitly and
naturally supports full X.509, since full X.509 support is just a specific
scenario of proxy support, and also almost all of the middlewares support
(or will support) proxy. But the principle does not apply vice versa.
So I think it is not needed to define two profiles here in term of
certificate support (proxy or full x509).
So supporting proxy shoud be a mandatory requirement, IMO.

>
>
> We may have still single islands in a way - but we also come closer
> together, which is a good first step towards the right direction and my
> suggestion to move forward in this complex security discussion since its
> beginning.
>
>
>
> Which particular plumbings of both common approaches are then used in
> production Grids is policy of the respective deployments of the middlewares
> and may even depend on the underlying interop application use cases which
> should be our most significant drivers (!) - BUT the main point is that we
> know where we talking about in interop work without having n ^ n different
> security setups available!
>
>
> Only one short example:
>
> # There is one DB with attribute information about of end-users (used by
> VOMS)
> # Agreeing on the attribute semantics&Structure is important
>

My two cents here:
1. With or without voms AC in proxy extension is not a issue for
authentication, while it is a issue for authorization. For those client
carrying proxy certificates without voms AC extension can not access those
services which requires those attributes from voms AC. But the rejection is
only because service can not find the attributes which can match its local
policy, not  (should not) because anything else (for instance becaus of the
service can not find voms AC). If the service can not find voms AC, it will
try to find the attributes from some other place of the proxy certificate,
for instance, if the DN of this proxy matches the grid-map file, the service
will also give authorization.
So supporting voms AC should be looked as optional.

2. For the format of voms AC, I think we probably should not put effors on
the definition of it. It should be formated by other standalization group.
Since there is only one implementation which support AC in grid community,
we can simply adopt this implementation, and look it as de-facto standard.

Weizhong Qiang

>
> # VOMS support interface for retrieving AC and also SAML assertions
> # There are two ways of transporting the attributes that come out of the
> same DB (used for later attr-authZ)
> # Both transports have correct AuthN mechanisms (clarifies AuthN+ID-authZ)
> # In the end using different plumbings, but the same attributes are then
> evaluated against a policy describing maybe having equal policies based on
> the same transported attributes of the same DB (re-alignment!)
> # In the end what matter are the attributes a user has and what the policy
> decides to do with them (if its XACML, ACLs, etc. is unimportant here), but
> we should talk about the same things once we evaluate attributes.
>
>
> I try to provide you more figures, etc. hopefully tomorrow - but on my
> slides a lot of it has been already presented numerous times... we just
> have
> to nail it down - but in a more KISS style = Keep in Simple and
> Sweet/Stupid!
>
>
>
> Your co-chair,
> Morris
>
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Jülich Supercomputing Centre (JSC)
> Forschungszentrum Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
>
> Email: m.riedel at fz-juelich.de
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
>
> Skype: MorrisRiedel
>
> "We work to better ourselves, and the rest of humanity"
>
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
> >------Original Message-----
> >-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
> Of
> >-Steven Newhouse
> >-Sent: Thursday, March 26, 2009 7:16 PM
> >-To: Moreno Marzolla; Duane Merrill
> >-Cc: pgi-wg at ogf.org; edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
> >-Subject: Re: [Pgi-wg] OGF PGI - Security Model
> >-
> >-> Having to build
> >-> adapters to translate (if possible) credentials in different formats
> >-is
> >-> a compromise which is more reasonable than having to wait for all the
> >-> middlewares of the world to move towards a common security
> >-> infrastructure.
> >-
> >-In the short term... documenting and defining the 2 or 3 security models
> >-is real progress. If a service only supports one of these I do not see
> >-this as a problem - for all the reasons given. Providing credential
> >-translation services to provide 'shims' (or bridges between these
> >-islands) as an interim solution makes this work. Its a low risk to
> >-individual services - they maintain their current stability - and can
> >-migrate over time to support both or the most 'popular' one - let the
> >-market decide!
> >-
> >-Each service can then advertise the mechanisms it supports and clients
> >-can locate credential translation services as required.
> >-_______________________________________________
> >-Pgi-wg mailing list
> >-Pgi-wg at ogf.org
> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/91ce2c25/attachment-0001.html 