Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.

Published byEileen Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011."— Presentation transcript:

1 Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011

2 Summary of updates since Feb F2F  Complex structures scrapped for simpler ones with better v1.0 compatibility  More discretion left to server implementers  Credential is now a “first class” Attribute in addition to a base object Facilitates Credential updates with minimal spec angst  Minor updates based on F2F feedback 2

3 Certificate Entity: Implicit self-registration  Server implicitly creates Entity record as a side effect of another KMIP request  No special TTLV required – KMIP server extracts needed values from TLS certificate  Client MAY already have a cert signed by a CA trusted by KMIP server  Resulting Object: Entity UUID: ABCD-1234 Credential Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: 3

4 Certificate Entity: Explicit self-registration Register Object Type=Entity Template-Attribute Credential Credential Type: Transport Certificate Credential Value: x-custom1: custom-value1 x-custom2: custom-value2 Entity:  Certificate fields extracted from TLS 4

5 Certificate Entity: Registration Register Object Type=Entity Template-Attribute Credential Credential Type: Transport Certificate Credential Value: Certificate: x-custom1: custom-value1 x-custom2: custom-value2 Entity:  Assumption: Registering Entity has privilege to register Entities 5

6 Certificate Entity: Authentication and Access Control Authentication Credential Credential Type: Transport Certificate Credential Value:  Server looks up Entity based on TLS certificate information Server policy: may be dynamic mapping or exact match  For access control, server checks authenticated Entity UUID against request object Owner attribute 6

7 Username/Password User: Registration Register Object Type=Entity Template-Attribute Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” x-custom1: custom-value1 x-custom2: custom-value2 Entity: 7

8 Username/Password User: Authentication and Access Control  Same as v1.0 Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”  Server looks up Entity based on Credential (username)  For access control, server checks authenticated Entity UUID against request object Owner attribute 8

9 Multi-factor Entity: Registration Register Object Type=Entity Template-Attribute Credential Credential Type: Transport Certificate Credential Value: Certificate: Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” x-custom1: custom-value1 x-custom2: custom-value2 Entity: 9

10 Multi-factor Entity: Authentication Authentication Credential Credential Type: Transport Certificate Credential Value: Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”  Server looks up Entity based on each Credential – all must resolve to the same Entity  For access control, server checks authenticated Entity UUID against request object Owner attribute 10

11 Locate Entity  Find all Entities with Transport Certificate Credentials: Locate Credential Credential Type: Transport Certificate  Find an Entity by its transport certificate: Locate Credential Credential Type: Transport Certificate Credential Value: Certificate:  Find yourself: Locate Entity Identifier = Self 11

12 Credential Refresh Modify Attribute Attribute: “Credential” Attribute Index: N Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate: Modify Attribute Attribute: “Credential” Attribute Index: N Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “new-password” 12

13 Other operations  Get Entity Info Locate Entity Identifier = Self Get Attributes Attribute Name: “Credential”  Server is not allowed to return Password values in Username and Password structure  Destroy Entity Destroy UUID: “ABCD-1234” 13

Download ppt "Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011."

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Modifying Managed Objects Alan Frindell 3/29/2011.

Modifying Managed Objects Alan Frindell 3/29/2011.
Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.

Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?

Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.

Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
1 DoD Cardholder Self Registration November 21, 2008.

1 DoD Cardholder Self Registration November 21, 2008.

Similar presentations

Ads by Google