22 may 2008ivoa trieste: grid & web services1 alternate security mechanisms matthew j. graham...

22 May 2008IVOA Trieste: Grid & Web Services 1

Alternate security mechanisms

Matthew J. Graham (Caltech, NVO)

THE US NATIONAL VIRTUAL OBSERVATORY

Security review

• Users don’t care about protocols and standards – they care about better experience with enhanced privacy and security

• User experience: – why is security necessary? – Certificates? .globus directories? WTF?

• Developer experience:– Buzkashi

• Community interests:– Decentralization

22 May 2008IVOA Trieste: Grid & Web Services 2

OpenID

• Single digital identity for use with any web site or service requiring authentication

• Open, free and decentralized standard• Well supported • 120 million OpenIDs (July 2007)• Microsoft, Google, Yahoo (Jan 2008)

22 May 2008IVOA Trieste: Grid & Web Services 3

OpenID: how it works

• User registers an OpenID identity (URI or XRI) with an OpenID identity provider

• Relying party (service provider) displays single input box for OpenID identifier

• Relying party converts OpenID identifier to a canonical URL form and obtains identity service provider URL from there

• Relying party and identity provider establish shared secret and then user is redirected to identity provider for authentication

• User is redirected back to relying party along with credentials. Relying party validates that credentials originated from relying party using shared secret.

22 May 2008IVOA Trieste: Grid & Web Services 4

OpenID: issues

• NVO setting up prototype OpenID identity provider service alongside current SSO setup:– use attribute to strengthen

• OpenID has little provision for web services (SOAP or RESTful):– requires communication between user and

relying party and user and identity provider– checkid_immediate?– check_authentication?

22 May 2008IVOA Trieste: Grid & Web Services 5

OAuth

• An API access delegation protocol• Well supported• User grants access to their protected

resources to a consumer using tokens generated by a service provider instead of their credentials

• Defines three endpoints:– Request token– User authentication- Access token

22 May 2008IVOA Trieste: Grid & Web Services 6

Oauth: how it works

22 May 2008IVOA Trieste: Grid & Web Services 7

OAuth

• All done with HTTP GET/POST and headers

• As with OpenID, requires some level of user interaction: capture credentials or request approval

22 May 2008IVOA Trieste: Grid & Web Services 8

Summary

• Industry embracing decentralised security mechanisms: – “web of trust” vs hierarchical model

• Currently well-suited to web apps involving a browser but not to web services (no user)

• What is the Grid community doing?– Shibboleth/GridShib?

22 May 2008IVOA Trieste: Grid & Web Services 9