security ogsa-wg dec. '03 f2f meeting @ anl
DESCRIPTION
Security OGSA-WG Dec. '03 F2F Meeting @ ANL. Takuya Mori NEC Corporation. Contents. The specifications in the "OGSA-Sec Roadmap" and status of Working Groups OGSA Security Services Specifications to be defined. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/2.jpg)
Contents
The specifications in the "OGSA-Sec Roadmap" and status of Working Groups
OGSA Security Services Specifications to be defined
![Page 3: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/3.jpg)
The specifications in the "OGSA-Sec Roadmap" and status of Working Groups
![Page 4: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/4.jpg)
Naming# Name Related Specifications New Specification
/ ProfileWG / RG
1 Naming
1-1 OGSA Identity Subject: X.509 DN (RFC2459), Kerberos Names (RFC1510), ...
Resources: GSH (OGSI)
should it be a part of OGSI or OGSA?
(OGSI / OGSA)
OGSA-AuthZ
1-2 OGSA Target / Action Naming
Targets: Grid Services - GSH (OGSI), SDE - SDE Name (OGSI), Arguments - XPath Expressions (need to be defined)
Actions: Grid Services - portType and operation name, SDE - access to SDE (query, update and change notification)
OGSA Authorization Policy Language
OGSA-AuthZ
1-3 OGSA Attribute and Group Naming
SAML Attribute Assertion, X.509 Attribute Certificate (RFC3281),
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
1-4 Transient Service Identity Acquisition
GSH and GSR (OGSI) should it be a part of OGSI or OGSA?
(OGSI / OGSA)
![Page 5: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/5.jpg)
Translating between Security Realms# Name Related Specifications New Specification
/ ProfileWG / RG
2. Translating between Security Realms
2-1 Identity Mapping Services
WS-Federation / WS-Trust (Grid Federation)
2-2 Generic Name Mapping Service
WS-Federation / WS-Trust (Grid Federation)
2-3 Policy Mapping Service
WS-Federation / WS-Trust / WS-Policy
(Grid Federation)
2-4 Credential Mapping Service
WS-Federation / WS-Trust (Grid Federation)
![Page 6: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/6.jpg)
Authentication / Session Security / Authorization
# Name Related Specifications Specification to be defined
WG / RG
3. Authentication Mechanism Agnostic
3-1 Certificate Validation Service Specification
XKMS (Authentication Service)
none
3-2 OGSA-Kerberos Services
Kerberos (Authentication Service)
none
4. Pluggable Session Security
4-1 GSSAPI-SecureConversation
WS-SecureConversation, WS-Trust (A profile for WS-SecureConversation)
none
5. Pluggable Authorization Service
5-1 OGSA-Authorization Service
SAML (Authorization Decision Authority and Assertion)
OGSA-Authorization Service
OGSA-Authz
![Page 7: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/7.jpg)
Authorization, Trust and Privacy Policy Management
# Name Related Specifications Specification to be defined
WG / RG
6. Authorization Policy Management
6-1 Coarse-grained Authorization Policy Management
WS-Policy (, XACML)
It will be based on "Policy and Agreements" discussed in OGSA.
Policy and Agreement (OGSA Authorization Policy Language)
OGSA
(OGSA-AuthZ)
6-2 Fine-grained Authorization Policy Management
WS-Policy (, XACML)
It will be based on "Policy and Agreements" discussed in OGSA.
Policy and Agreement(OGSA Authorization Policy Language)
OGSA
(OGSA-AuthZ)
7. Trust Policy Management
7-1 OGSA Trust Service WS-Policy, WS-Trust
It will be based on "Policy and Agreements" discussed in OGSA.
none
8. Privacy Policy Management
8-1 Privacy Policy Framework
WS-Policy, WS-Privacy
It will be based on "Policy and Agreements" discussed in OGSA.
none
![Page 8: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/8.jpg)
VO Policy Management / Delagation / Firewall "Friendly"
# Name Related Specifications Specification to be defined
WG / RG
9. VO Policy Management
9-1 VO Policy Service WS-Policy, WS-Agreement
It will be based on "Policy and Agreements" discussed in OGSA.
(VO Management is discussed in OGSA)
OGSA
10. Delegation
10-1 Identity Assertion Profile
SAML Attribute Assertion, X.509 Attribute Certificate, ...
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
10-2 Capability Assertion Profile
SAML Attribute Assertion, X.509 Attribute Certificate, ...
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
11. Firewall "Friendly"
11-1 OGSA Firewall Interoperability
WS-Routing, WS-Referral (not sure) none
![Page 9: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/9.jpg)
Security Policy Expression and Exchange / Secure Service Operation / Audit and Secure Logging
# Name Related Specifications Specification to be defined
WG / RG
12 Security Policy Expression and Exchange
12-1 GSR and SDE Security Policy Decoration
WS-Policy (, WS-SecurityPolicy, WS-PolicyAttachment)
It may be based on "Policy and Agreements" discussed in OGSA.
OGSA Authorization Policy Language
OGSA-AuthZ
13 Secure Service Operation
13-1 Secure Service's Policy and Processing
(not sure about this service)
13-2 Service Data Access Control
(not sure about this service)
(OGSA-AuthZ will take care about access control issue for SDE)
(OGSA Authorization Policy Language)
(OGSA-AuthZ)
14 Audit and Secure Logging
14-1 OGSA Audit Service ("Distributed Logging" discussed in OGSA is related to this service)
Sub-WG in OGSA
14-2 OGSA Audit Policy Management
WS-Policy, It will be based on "Policy and Agreements" discussed in OGSA.
Sub-WG in OGSA
![Page 10: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/10.jpg)
OGSA Security Services
![Page 11: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/11.jpg)
Goal
Virtual Organization
Servicea
Servicebservice request
DelegationAuthentication Authentication
Authorization
Attribute Assertion
![Page 12: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/12.jpg)
Virtual Organization
Servicea
Serviceb
Applications:service request
![Page 13: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/13.jpg)
Federation Services
Security Services
Authentication
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
Serviceb
UnderlyingSecurityLayers:
Session Security (based on WS-SecureConversation)
Message Security (based on WS-Security)
Security Policy (QoP) Exchange & Expression
Security Services:
Applications:service request
Privacy
Policy and Agreement
Authentication
Attribute
Authorization
Trust
Distributed Logging
Privacy
Policy and Agreement
Described in OGSA
Discussed in OGSA-AuthZ-WG
Missing in OGSA or OGSA-AuthZ
Naming Stuff
Servicea service request
![Page 14: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/14.jpg)
Authentication
Federation Services
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(1) service request
(2) request credential validationto get an identity of the requestor
(3) check for the trust relationship(4) identity mapping
Session Security (based on WS-SecureConversation)
Identity Credential
Authentication Service
GS
Trust Service
![Page 15: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/15.jpg)
Authorization (1)
Federation Services
Authentication Service
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust Service
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(2) service request
(4) attribute and policy mapping
Attribute Assertion(1) gets an attribute
assertion
* Decisions are made basedon policies and attributes
(3) asks for an authorizationdecision
Policy Authority
Attribute Authority
![Page 16: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/16.jpg)
Authorization (2)
Federation Services
Authentication Service
Attribute
VO Management ServicesPolicy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust Service
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(2) request credential validationto get an identity of the requestor•Prerequisite:
The requestor has been identified
(2) checks for the VO membershipand the policy for the requestor
(1) ask for an authorization decision
* Decisions are made basedon policies and attributes
(3) or check for some local attributes
Policy Authority
Attribute Authority
![Page 17: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/17.jpg)
VO Security Services VO Management Services
Referred in the subsection 6.2 of OGSA document VO Membership Service
Manages VO membership (users, resources, authorities, and ...) Issues membership attribute assertions
It means VO Membership Service is a kind of attribute service. VO Policy Service
VO-wide policy service (possible policies include authorization policy, trust policy, and privacy policy)
Federation Services Missing parts in OGSA document Identity / Attribute Mapping Service
Converts identity or attribute assertions of a domain into those of another domain
Policy Mapping Service Converts policies of a domain into those of another domain
![Page 18: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/18.jpg)
Distributed Logging Described in the subsection 6.13 of OGSA document
Policy and Agreement Described in the subsection 6.16 of OGSA document
Authorization Service Discussed in OGSA-AuthZ-WG, but not in OGSA doc
ument
Security Services
![Page 19: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/19.jpg)
Attribute Service (Will be) discussed in OGSA-AuthZ-WG Not described in OGSA document now Issues an attribute assertion that is used for various policy decisions
Authentication Service (Credential Validation) Not described in OGSA document Validates a credential and identifies a requestor Support for PKI and Kerberos is mandatory
Privacy Service Not described in OGSA document Manages privacy policy on both ends. It can be used to declare privacy informati
on usage and to request preference for privacy information handling. Trust Service
Not described in OGSA document Manages trust policy whether does a party trust an assertion authority or not, and
makes decisions based on these policies
Security Services (Contd.)
![Page 20: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/20.jpg)
What's Next Find out if the services listed in this slides are enough or
not Start describing security services into OGSA document Prioritize specifications and activate OGSA-SEC-WG to
start discussion. Prioritizing example
High VO Management Authentication Policy and Agreements
Middle Federation Services Trust
Low Privacy
![Page 21: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/21.jpg)
Specifications to be defined
![Page 22: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/22.jpg)
Fundamental Specifications# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSI or OGSA (Identity, Identity Acquisition Stuff)
Subject: X.509 DN(RFC2459), Kerberos Names(RFC1510), ...
Resources: GSH (OGSI), GSH and GSR (OGSI)
1-1, 1-4 OGSI / OGSA
Message / Session Security
(a part of OGSI?)
WS-Security / WS-SecureConversation / WS-Trust
XML-DSig, XML-Enc, GSSAPI,
4-1 (OGSI)
VO Management
(a part of OGSA?)
WS-Policy, WS-Agreement
It will be based on "Policy and Agreements" discussed in OGSA.
9-1 OGSA
OGSA Audit Service (or Distributed Logging Service)
("Distributed Logging" discussed in OGSA is related to this service)
14-1, 14-2 (OGSA)
![Page 23: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/23.jpg)
Authentication# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Authentication
(Credential Validation)
XKMS, Kerberos 3-1, 3-2 none
![Page 24: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/24.jpg)
OGSA-AuthZ Specifications# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Authorization Service
SAML (Authorization Decision Authority and Assertion)
5-1 OGSA-AuthZ
OGSA Attribute and Authorization Assertion
SAML Attribute Assertion, X.509 Attribute Certificate (RFC3281), ...
1-3, 10-1, 10-2 OGSA-AuthZ
OGSA Authorization Policy Language
Target: Grid Services - GSH (OGSI), SDE - SDE Name (OGSI), Arguments - XPath Expressions (need to be defined)
Action: Grid Services - portType and operation name, SDE - access to SDE (query, update and change notification)
1-2, 6-1, 6-2, 12-1, (13-2)
OGSA-AuthZ
![Page 25: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/25.jpg)
Federation Services# Name Related Specifications Relation to the
proposed specs.
WG / RG
Identity / Attribute
Mapping Service
WS-Federation / WS-Trust
SAML
2-1, 2-2, 2-4 (Grid Federation)
Policy Mapping Service
WS-Federation / WS-Trust / WS-Policy 2-3, 2-4 (Grid Federation)
![Page 26: Security OGSA-WG Dec. '03 F2F Meeting @ ANL](https://reader035.vdocument.in/reader035/viewer/2022062408/5681442c550346895db0c59c/html5/thumbnails/26.jpg)
Others (will be discussed in the future?)# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Trust Service WS-Policy, WS-Trust
It will be based on "Policy and Agreements" discussed in OGSA.
7-1 none
OGSA Privacy Service WS-Policy, WS-Privacy
It will be based on "Policy and Agreements" discussed in OGSA.
8-1 none
OGSA Firewall Interoperability
WS-Routing, WS-Referral 11-1 none
Secure Service's Policy and Processing
(not sure about this service) 13-1 none