Presentation is loading. Please wait.

Presentation is loading. Please wait.

PAPI 2 Distributed trust model and AA interoperability.

Published byAnnabelle Lindsey Modified over 8 years ago

Similar presentations

Presentation on theme: "PAPI 2 Distributed trust model and AA interoperability."— Presentation transcript:

1 PAPI 2 Distributed trust model and AA interoperability

2 2 Elements for the new version New platforms Convergence to other solutions A distributed trust model

3 3 New Platforms PAPI library IISApacheSquidOther PoA ? ?

4 4 A Little Review Browser Authentication PAPI AS tokens Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302+data

5 5 A Little Review PoA University Departments Servers Same policy  Simplifies management There is one aggregator for all the hierarchy It is not necessary to notify about new PoAs X Children have the same policy than their parent New access control policies are needed

6 6 More functionality for the model More information to control the access  Attributes Off-line On-line  Offline solution -> Privacy problem  Online solution -> online element serving the attributes

7 7 Attribute Authority: Aproximation to the Shibboleth model Web browser Authentication data Authentication Server Encry-cookies Point of Access Temporary Signed-URLs Signed-URL Encry-cookie Attr. Auth Attributes? Attributes

8 8 PAPI - Shibboleth models Web browser Authentication data Authentication Server Encry-cookies PoA Temporary Signed-URLs Signed-URL Encry-cookie Attr. Auth Attributes? Attributes ShireSharR.M.

9 9 Interoperability Starting to define a interoperability scenarios: PAPI - Shibboleth Interoperability aspects:  Protocol between SHAR and AA = SAML (syntax and semantics) -> openSAML  PoA should be able to manage Shibboleth user handles and interact with WAYF elements  Trust model

10 10 PAPI - Trust model Two components  Horizontal trust: between ASes and target sites  Vertical trust: between PoAs of a organization Requirements of the model  Easy to manage  Not centralized Not TTP (third trust party) Not dedicated staff to manage it  Avoid revocations

11 11 Trust model PoA1 PoA2 PoA3 C3: S PoA1 (Cert PoA3) C1: Cert PoA1 Pub keys of AAs PoA C2: Cert PoA2 C4: S PoA2 (Cert PoA3) S C3 (Attributes ?) S AA (K C3 (Attributes)) S C4 (Attributes ?) S AA (K C4 (Attributes)) AA 1 C1: Cert PoA1 AS AA 2 AS AA 3 AS

12 12 Some managment examples: New PoA in the fabric AA 1 PoA1 PoA2 PoA3 S PoA1 (Cert PoA3) + Cert PoA1 AA 2 Pub key of PoA3 Pub key of PoA2 Cert PoA2 S PoA2 (Cert PoA3) + Pubs of AAs Sign request

13 13 Some managment examples: New AA in the fabric AA 1 PoA1 PoA2 PoA3 Cert of PoA1 Pub key of new AA Pub key of AA Cert of PoA1 AA 2 Cert of PoA1 S PoA1 (Cert PoA3)

14 14 Some management examples: New keys in a trusted PoA AA PoA1 PoA2 PoA3 S PoA1 (Cert PoA3) Cert PoA1 Pub keys of AAs Pub key of PoA1 Sign request Resign needed

15 15 Current status Core library available  Openssl  Libxml  Xmlsec Implementations running on IIS and Apache Ready for interoperability tests with Shibboleth Implementing and evaluating the trust model

Download ppt "PAPI 2 Distributed trust model and AA interoperability."

Similar presentations

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell

EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Similar presentations

Ads by Google