1. Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans lgommans@science.uva.nl Advanced Internet Research Group Informatics Institute University of Amsterdam

2. Goal Show authorization framework concepts of RFC2904 applied to the Grid ( at FL300 ) Show current implementation based on Globus Security Infrastructure (www.globus.org)www.globus.org Show possible future authorization concepts.

3. Grids Allow individuals / institutes in science or industry to form virtual organizations as to pool resources (computers, networks, data) and pursue a common goal. Current GRID Security Infrastructure (GSI): Allows access to multi-domain resources with a single sign-on Allows organizations to remain in control of their resources GSS-API / TLS based More details: http://www.globus.org/documentation/incoming/butler.pdf

4. Use of X509 Certificates and Proxy Certificates to *: Remote login and access control for "standard" services. Client/server and server/client authentication. Authenticated and encrypted messages via GSS. Authenticated and encrypted streams via SSL and TLS. Authenticated and encrypted Web server access via https Impersonate and establish (a chain of) delegation. *) Ref: http://archive.ncsa.uiuc.edu/General/GridForum/SWG/taxonomy.htmlhttp://archive.ncsa.uiuc.edu/General/GridForum/SWG/taxonomy.html and draft-ietf-pkix-proxy-01.txt

5. User Home Org Service Provider RFC 2904 Roaming Push Model and trust relationships AAA Authorization Request Token Service Request + Token Service Ack User Admin Service Admin Trust Relationship Trust Relationship

6. End Entity Private key User Grid RA/CA Grid Resources user authorizes impersonation to enable single sign-on access to grid resources Registration Request + Unsigned Certificate SN = John Issuer=CA AAA Proxy Private key CRL Certificate SN = “” or ? Altname = John / Proxy Issuer=John Unsigned Impersonation Certificate Logon sequence Note: Push sequence is reversed Hybrid push/pull ? Globus GRID Model

7. User Grid RA/CA Grid Resources Users need to be authorized by service for access Users need to register with service to enable services AAA John Sue List of subjects and their authorizations (gridmapfile) (offline) Service Subscription process (offline) CA Cert Request CA Cert Globus GRID Model

8. User Gatekeeper (Proxy) Service Domain A John Proxy Credentials John Sue List of global subjects and their authorizations RFC2904 Distributed Services Model Resource 1Resource 2 John Proxy Credentials John’s Credentials John Dave John Proxy Credentials  Service Domain B AAA John Sue CA(‘s) CRL

9. “Industrializing” the Grid Allow commercial organizations to collaborate in easy to use, secure and reliable fashion interoperability, confidentiality, privacy, availability, integrity etc. Ad hoc usage of Grid available resources need to be converted in units that can be settled as subscribed services do not scale. resource usage, storage, digital rights etc. Grid resources need procurement, user in driving seat. user authorizes usage up to a certain limit.

10. Workflow create relationship with home organization that can authorize a usage limit. create relationship with organization that represents a community and authorizes access to and usage of resources belonging to a Virtual Organization based on authorized usage limit. use resources based on authorization from Virtual Organization

11. User Home Org Grid Service Provider Roaming authorization Push Model as one of many options Community Org Community Authorization Home Authorization Grid Services User Authorization

12. Thank you More info draft-ietf-pkix-proxy-01.txt www.globus.org www.ggf.org www.aaaarch.org