Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf.

Published byGiles Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf."— Presentation transcript:

1 AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf Leon Gommans University of Amsterdam

2 Chapter 2: Authorization framework concepts Foundation of chapters 2 & 3 are RFC 2903, RFC 2904 and ISO/IEC 10181-3 Term authorization may point at: Decide to issue a right The possession or a reference to a right The verification of a right. Within Grid context we recognize 3 basic entities which have (trust) relationships: Subject Resource Authority GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Typical trust Relationships

3 Chapter 2: Authorization framework concepts Foundation of chapters 2 & 3 are RFC 2903, RFC 2904 and ISO/IEC 10181-3 Term authorization may point at: Decide to issue a right The possession or a reference to a right The verification of a right. Within Grid context we recognize 3 basic entities which have (trust) relationships: Subject Resource Authority GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Typical trust Relationships

4 Subject: Any entity with a certain identity that can request, receive, own, transfer, present or delegate an electronic authorization as to exercise a certain right. Informally, a subject is any user of a service or resource. The subject may be identified as an individual user or as a member of a group of users. A user may also be a process that acts on behalf of a user and as such assumes some delegated form of identity. The subject may define a set of policies that determine how its authorization is used. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

5 Resource: A component of the system that provides or hosts services and enforces access to these services based on a set of rules and policies defined by entities that are authoritative for the particular resource. Typically in Grid environments a resource is a computer providing compute cycles or data storage through a set of services it offers. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

6 Authority: An administrative entity that is capable of and authoritative for issuing, validating and revoking an electronic means of proof such that the subject and/or owner of the issued electronic means is authorized to exercise a certain right or assert a certain attribute. Right(s) may be implicitly or explicitly present in the electronic proof. A set of policies may determine how authorizations are issued, verified, etc. based on the contractual relationships the Authority has established. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

7 Different Authority types: Commonly used authority types for authorization are: Attribute Authority Policy Authority Certification Authority (CA) may be used to make an Authorization (certificate) authentic. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

8 Authorization is frequently split into three distinct processes: 1) Definition: a person or organization defining an authorization policy at high-level. 2) Implementation of the high level policy into a certain executable form 3) Evaluation of the executable policy by a process which subsequently decides to issue a specific authorization to a subject or take a specific action. The component performing the latter step of computing an authorization decision on behalf of the authorities is sometimes referred to as an Authorization Server. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

9 Evaluation sequences according to RFC2904 in new terms Resource Authority Subject Resource Authority Subject Resource Authority Subject 1 1 1 22 2 3 33 4 4 4 Pull modelAgent modelPush model

10 Domain Considerations In authorization scenarios there are at least two administrative domains GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain

11 Contractual & Trust Relationships One must recognize and understand the involved contractual relationships and map the trust relationships to fully understand the sequences. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain Contractual relationship Trust relationship

12 Contractual & Trust Relationships One must recognize and understand the involved contractual relationships and map the trust relationships to fully understand the sequences. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain Contractual relationship Trust relationship

13 Thank you ! lgommans@science.uva.nl

Download ppt "AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft.

A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Access Control Methodologies

Access Control Methodologies
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Intra-ASEAN Secure Transactions Framework Project Progress Report

Intra-ASEAN Secure Transactions Framework Project Progress Report
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google