A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Digital Object Architecture
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
TERENA TF-EMC2 Workshop David Groep,
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth: An Introduction
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Security Solutions Rachana Ananthakrishnan University of Chicago.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
1 Discussion about: * Security Provisioning and Validation * * Policy Enforcement Complexity * * Data Integrity Verification * 11th Middleware Security.
AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Document update - what has happened since GGF11
eduroam Managed IdP - Roadmap
Security for Open Science
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
What’s changed in the Shibboleth 1.2 Origin
Overview and Development Plans
CS 465 Certificates Last Updated: Oct 14, 2017.
RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant
NSF Middleware Initiative: GridShib
Presentation transcript:

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan – ANL Mike Helm – ESnet

28Mar07ISGC 20072/7 The Problem PKI credential validation is very complex Application developers tempted to take shortcuts Testing for success, not for failure Locked into PKI credentials based on application code

28Mar07ISGC 20073/7 Credential < Assertion Similar problems exist in the authorization space –How to distribute trust roots to all points (every relying party needs to know the certificate associated with the VOMS server to validate VOMS attribute certificate) Validation code and trust-root configuration needs to be correct on each resource –Maintenance issues, especially light-weight clients –Out-of-date could imply security exposure –Administration of new trust-roots –Managing revocation

28Mar07ISGC 20074/7 Validation Service Step 1 Create library of routines to perform validation Uses well written library code to perform tests based on grid PKI architecture Treat credential as opaque object in application Allows separation of application and security code.

28Mar07ISGC 20075/7 Validation Service Step 2 Library calls modified to invoke external service Library API is unchanged Service of credential checking external to application Secure service Can be shared between applications or sites Might be easier to implement OCSP to reduce CRL scaling problems

28Mar07ISGC 20076/7 Validation Service Step 3 Transition to enhanced PKI or non-PKI credentials Service handles multiple forms of credentials/assertions May allow for better integration with future technologies: –Federated identity management –Shib –Bridged infrastructures –SAML, etc.

28Mar07ISGC 20077/7 Need is Immediate More application code written each day –Contains coding errors –Contains conceptual errors –Tied to problematic PKI software –Increasing cost to evolve to new technology –Severe scaling problems in current PKI infrastructure Needed – Requests from applications and VOs that this is required – have to get the resources with commitment from middleware and application developers for implementation and deployment.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.