22 may 2008ivoa trieste: grid & web services1 alternate security mechanisms matthew j. graham...
TRANSCRIPT
22 May 2008IVOA Trieste: Grid & Web Services 1
Alternate security mechanisms
Matthew J. Graham (Caltech, NVO)
THE US NATIONAL VIRTUAL OBSERVATORY
Security review
• Users don’t care about protocols and standards – they care about better experience with enhanced privacy and security
• User experience: – why is security necessary? – Certificates? .globus directories? WTF?
• Developer experience:– Buzkashi
• Community interests:– Decentralization
22 May 2008IVOA Trieste: Grid & Web Services 2
OpenID
• Single digital identity for use with any web site or service requiring authentication
• Open, free and decentralized standard• Well supported • 120 million OpenIDs (July 2007)• Microsoft, Google, Yahoo (Jan 2008)
22 May 2008IVOA Trieste: Grid & Web Services 3
OpenID: how it works
• User registers an OpenID identity (URI or XRI) with an OpenID identity provider
• Relying party (service provider) displays single input box for OpenID identifier
• Relying party converts OpenID identifier to a canonical URL form and obtains identity service provider URL from there
• Relying party and identity provider establish shared secret and then user is redirected to identity provider for authentication
• User is redirected back to relying party along with credentials. Relying party validates that credentials originated from relying party using shared secret.
22 May 2008IVOA Trieste: Grid & Web Services 4
OpenID: issues
• NVO setting up prototype OpenID identity provider service alongside current SSO setup:– use attribute to strengthen
• OpenID has little provision for web services (SOAP or RESTful):– requires communication between user and
relying party and user and identity provider– checkid_immediate?– check_authentication?
22 May 2008IVOA Trieste: Grid & Web Services 5
OAuth
• An API access delegation protocol• Well supported• User grants access to their protected
resources to a consumer using tokens generated by a service provider instead of their credentials
• Defines three endpoints:– Request token– User authentication- Access token
22 May 2008IVOA Trieste: Grid & Web Services 6
Oauth: how it works
22 May 2008IVOA Trieste: Grid & Web Services 7
OAuth
• All done with HTTP GET/POST and headers
• As with OpenID, requires some level of user interaction: capture credentials or request approval
22 May 2008IVOA Trieste: Grid & Web Services 8
Summary
• Industry embracing decentralised security mechanisms: – “web of trust” vs hierarchical model
• Currently well-suited to web apps involving a browser but not to web services (no user)
• What is the Grid community doing?– Shibboleth/GridShib?
22 May 2008IVOA Trieste: Grid & Web Services 9