OGSA-WG Basic Profile Session #1 Security

Slides:

Advertisements

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

Advertisements

© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

GT 4 Security Goals & Plans Sam Meder

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

WS-Security TC Christopher Kaler Kelvin Lawrence.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web services security I

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

© 2006 Open Grid Forum Security Activities at OGF24 Security Area Meeting.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.

BEA position on W3C ‘Web Services’ Standards Jags Ramnarayan 11th April 2001.

Standards & Interoperability (S&I) Structured Data Capture (SDC) FHIR Profile IG SWG.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Web Services Security Mike Shaw Architectural Engineer.

© 2005 Global Grid Forum The information contained herein is subject to change without notice Leading the pervasive adoption of grid computing for research.

SIPREC Conference Recording (draft-kyzivat-siprec-conference-use-cases-00) IETF 87, November 4, 2013 Authors: Michael Yan, Paul Kyzivat, Simon Romano.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

GGF - © Birds of a Feather - Policy Architecture Working Group.

IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1.

Access Policy - Federation March 23, 2016

OGSA Profile Definition - Status

Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

Shibboleth Roadmap

Sessions 1 & 3: Published Document Session Summary

Usecases and Requirements for OGSA-Security

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

University of Virginia, USA GGF9, Chicago, Illinois, US

OGF 21 Seattle Washington

Security in ebXML Messaging

draft-ipdvb-sec-01.txt ULE Security Requirements

Technical Approach Chris Louden Enspier

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

Tim Bornholtz Director of Technology Services

Liang Fang, Dennis Gannon Indiana University Frank Siebenlist

Advanced Computer Networks

draft-ietf-dtn-bpsec-06

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: July 21, 2011 Presented at IEEE session.

SAML/SIP Profiles and Call Initiation

Presentation transcript:

OGSA-WG Basic Profile Session #1 Security Mar. 14, 2005 (GGF13@Seoul) Frank Siebenlist, ANL Takuya Mori, NEC/ANL

Backgrounds Profile is a document which promotes interoperability of multiple implementations. Profile refers to a set of currently available specifications and states how to use them. Draft submissions of the Basic Profile 1.0 documents are targeted from Jun. to Dec.'05. The security profile is also required to be defined within the same time frame.

Items, Specs and Status (1) Communication Channel Security WS-I BSP 1.0 (latest draft: Jan.20,'05) Transport Layer Security (SOAP/HTTPS, TLS, SSL) SOAP Message Security (WS-Security, XML-Signature, XML- Encryption) Authentication X509 Identity Certificate (RFC-3280) Kerberos WS-Trust, WS-SecureConversation (Proprietary specs)

Items, Specs and Status (2) Delegation X509 Proxy Certificate (RFC-3820) wide industry support is still unclear... WS-Delegation - BoF at GGF13 possible standardization of Delegation Service?

Items, Specs and Status (3) Authorization Use of SAML for OGSA-Authz (draft, OGSA- Authz-WG) SAML 1.1 (Authz Decision) OGSA Authz Attributes (draft, OGSA-Authz-WG) SAML 1.1, X509 Attribute Certificate (RFC-3281) SAML 2.0, XACML 2.0 (Just approved as OASIS standards) Potential GGF OGSA-Authz adoption

Items, Specs and Status (4) Others Firewall – BoF at GGF13 VPN RG – BoF at GGF13 Trusted Computing - BOF at GGF13 Virtual Machines / Isolation / Jailed Environment

Scope Candidate Items for the BP 1.0 Communication Channel Security WS-I BSP1.0 (SOAP/HTTPS, SSL, TLS, WS-Security, XML-Signature, XML-Encryption...) Authentication PKI / X509 Identity Certificate The remaining items will be discussed for the BP 2.0 or later version of profiles

Schedule Draft will be submitted by Jun.'05 (if assertion communication is not a part of the BP1.0)

Profile Contents – Example (1) Communication Channel Security The profile mandates the use of transport layer security or message level security for secure transmission of messages. R0801 When establishing an HTTP connection a SENDER MUST use HTTP over TLS as profiled by WS-I BSP 1.0 Section 3 and Section 9.

Profile Contents – Example (2) Authentication Consumers and instances SHOULD provide authentication information To provide interoperability, only X509 Identity Certificate based authentication is permitted by the profile.

Relationship with WS-I BSP1.0 Schedule the latest version: draft dated Jan.20, '05 Originally, the draft was scheduled to be released in May.'04 No update with their charter WS-I BSP1.0 Extension Points Some statements should be needed for the each extension points WS-I BSP1.0 Requirements Need to find out conflicts against our requirements and to relaxen them if there exist some We are now closely looking at the requirements

Outstanding Security Issues for BP1.0 Transport and/or Message Level Security ??MUST/SHOULD?? Discovery of key-info for encryption in message level security Service Group Profile / EPR embedding? Use of Proxy-Certificates (PC) Standard but not widely adopted outside Grid communicate Communication of Assertions Profiles for common assertions in header or PC

Communication of Assertions Communicated Assertions: Proxy-certificates, SAML Identity/Attribute Assertions, VOMS/PERMIS ACs, SAML Authz Decision Assertions, XACML Policy Assertion, ??? plus we communicate EPRs to Attribute Svcs (Shib) or Authz Svcs (PDPs) Inventive ways to communicate: SOAP Headers Proxy-Certificate embedding

Assertion Communication not all “standardized” WS-Security OASIS profile for SAML Proxy-Certificate IETF-RFC But… No WS-Security profile for AC/PC/EPR No profile for proxy-certificate embedding of SAML/AC/EPR To ensure interoperability, we have to standardize those profiles!!! Parties have to know where to put the assertions and where they can find them…

Attribute Collection Framework

GT Authorization Framework (1)

Standardize Assertion Communication WS-Security profile for AC/PC/EPR ? Not sure if OASIS would be interested? GGF profile for proxy-certificate embedding of SAML/AC/EPR ? Grid community is only user of PCs (it’s our only way to communicate authz assertions…) Need Profiles for BP1.0!

Security for BP1.0 Leverage WS-I Issues left: Gives us 90% of what we need… Issues left: Transport and/or Message Level Security ??MUST/SHOULD?? Discovery of key-info for encryption in message level security Service Group Profile / EPR embedding? Use of Proxy-Certificates (PC) Standard but not widely adopted outside Grid community Communication of Assertions Profiles for common assertions in header or PC Separate Security Basic Profile document?