[Pgi-wg] OGF PGI - Security Strawman
Aleksandr Konstantinov
aleksandr.konstantinov at fys.uio.no
Fri Mar 27 05:02:28 CDT 2009
On Monday 23 March 2009 19:57, Etienne URBAH wrote:
> To All,
>
> I thank Duane MERRIL for his 'Profile on Secure Communication' strawman.
>
> But, since today's mail of Vincenzo CIASCHINI asserting interoperability
> between recent versions of OpenSSL and GSI, I do NOT think that
> communication layers are the main isue blocking interoperability.
>
> I propose that instead focusing on communication services, we focus on
> security data defined, on security data transported, and on the
> interpretation of security data by AUTHN/AUTHZ services.
>
>
> So, I propose to criticize following assertions :
>
>
> 1) Grid Users and Certificate Authorities
> -----------------------------------------
> 1.1) Each grid User is authenticated by a legal body (recognized by a
> government).
>
> 1.2) This legal body uses a Certificate Authority to grant a (long
> lived) X509 certificate to the grid User.
>
> 1.3) Each Certificate Authority is itself or is authenticated by a
> self-signed Root Certificate Authority.
>
> 1.4) All such Root Certificate Authorities trust each other and
> cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management
> Authorities).
>
> 1.5) These 3 Policy Management Authorities trust each other and
> cooperate within IGTF.
>
> 1.6) IGTF distributes the list of CA Certificates to be trusted.
>
> 1.7) Each grid Site providing grid Services to grid Users MUST install
> this list of CA Certificates and keep it up to date.
>
> 1.8) Using its X509 certificate, each grid User can create at any time
> a (short lived) X509 proxy with permits impersonation / delegation
> during a short period.
>
>
> 2) Virtual Organizations
> -------------------------
> 2.1) A Virtual Organization (VO) groups grid Users with common goals.
> A VO is NOT a legal body, can NOT be a Certificate Authority, and can
> NOT issue X509 certificates.
>
> 2.2) Inside DEISA, a Virtual Community also groups grid Users with
> common goals. The relationships between Virtual Communities and Virtual
> Organizations has to be precised by Morris RIEDEL.
>
> 2.3) Each grid User belongs to 1 ore more VO (Virtual Organization),
> which grants him access rights to grid Storage and Computing Ressources.
I would bery much like to criticize this statement as there will always be some
small user groups or individual users who wouldn't want take care of burden
of setting up a VO.
>
> 2.4) Access rights are granted by VOs to grid Users through either :
> 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy)
> 2.4.2) SAML assertions
>
>
> 3) Grid Services : Information, AUTHN, AUTHZ
> ----------------------------------------------
> 3.1) Each grid Infrastucture provides an Information Service, with
> describes the Infrastructure according the the GLUE2 schema.
>
> 3.2) Each grid User can query this Information Service anonymously in
> order to know which security protocol he has to use to submit requests
> to grid Services.
I disagree with "anonymously". Some infrastructures may rate that information
as confidential.
>
> 3.3) Each grid User can directly access data hosted by grid Storage
> Services. For Authentication, the grid User can present the public part
> of his X509 certificate or X509 proxy. For Authorization, the grid User
> can present :
> 3.3.1) the public part of his VOMS proxy, or
> 3.3.2) a bag of SAML assertions.
I see no reason why only these 2 options should be allowed for authorization decisions.
I do support idea of attribute based authorization. But can't understand why other
information authenticating the client should be disallowed from making authorization
decision.
>
> 3.4) Each grid User can submit Jobs to grid Computing Services. If
> such a Job needs access to data hosted by grid Storage Services, then
> the grid User must provide a delegation token. This delegation token
> can be :
> 3.4.1) a full VOMS proxy, or
> 3.4.2) a bag of SAML assertions.
What is "full ... proxy" ? And why only VOMS? Why can't my users use ordinary proxies?
Or restricted proxies with for example policies embedded (as defined in RFC3820)?
> 4) Consequences for Interoperability
> -------------------------------------
> 4.1) X509 proxies MUST fully comply to RFC 3820.
>
> 4.2) VOMS services, which deliver X509 proxies with VOMS extensions,
> MUST fully comply to RFC 3820.
>
> 4.3) The authentication library used by grid Services MUST fully comply
> to RFC 3820 (for example a recent version of OpenSLL), so that it can
> accept as well X509 certificates as X509 proxies.
>
> 4.4) Each grid Site providing grid Services to grid Users MUST install
> files describing VOMS authorizations and other authorizations, and keep
> them up to date.
What are "files describing ... authorizations"?
>
> 4.5) The semantics of Authorization tokens MUST be the same for all
> grid Infrastructures :
> 4.5.1) VOMS extensions
> 4.5.2) Restriction attributes
>
> 4.6) The Information Service of each grid Infrastructure MUST describe,
> for each grid Service, which Authorization tokens this Service
> understands (potentially several) :
> 4.6.1) VOMS extensions
> 4.6.2) X509 restriction attributes
> 4.6.3) SAML assertions
>
> 4.7) For SAML assertions, the Information Service of each grid
> Infrastructure MUST describe, for each grid Service, how they are
> transported :
> 4.7.1) As attributes of X509 proxies
> 4.7.2) Inside a SOAP header
>
> Unfinished ...
>
>
> Best regards.
>
> ----------------------------------
> Etienne URBAH IN2P3 - LAL
> Bat 200 91898 ORSAY France
> Tel: +33 1 64 46 84 87
> Mob: +33 6 22 30 53 27
> Skype: etienne.urbah
> mailto:urbah at lal.in2p3.fr
> ----------------------------------
>
More information about the Pgi-wg
mailing list