Presentation is loading. Please wait.

Presentation is loading. Please wait.

OGSA-WG Basic Profile Session #1 Security

Published byShon Wilcox Modified over 6 years ago

Similar presentations

Presentation on theme: "OGSA-WG Basic Profile Session #1 Security"— Presentation transcript:

1 OGSA-WG Basic Profile Session #1 Security
Mar. 14, 2005 Frank Siebenlist, ANL Takuya Mori, NEC/ANL

2 Backgrounds Profile is a document which promotes interoperability of multiple implementations. Profile refers to a set of currently available specifications and states how to use them. Draft submissions of the Basic Profile 1.0 documents are targeted from Jun. to Dec.'05. The security profile is also required to be defined within the same time frame.

3 Items, Specs and Status (1)
Communication Channel Security WS-I BSP 1.0 (latest draft: Jan.20,'05) Transport Layer Security (SOAP/HTTPS, TLS, SSL) SOAP Message Security (WS-Security, XML-Signature, XML- Encryption) Authentication X509 Identity Certificate (RFC-3280) Kerberos WS-Trust, WS-SecureConversation (Proprietary specs)

4 Items, Specs and Status (2)
Delegation X509 Proxy Certificate (RFC-3820) wide industry support is still unclear... WS-Delegation - BoF at GGF13 possible standardization of Delegation Service?

5 Items, Specs and Status (3)
Authorization Use of SAML for OGSA-Authz (draft, OGSA- Authz-WG) SAML 1.1 (Authz Decision) OGSA Authz Attributes (draft, OGSA-Authz-WG) SAML 1.1, X509 Attribute Certificate (RFC-3281) SAML 2.0, XACML (Just approved as OASIS standards) Potential GGF OGSA-Authz adoption

6 Items, Specs and Status (4)
Others Firewall – BoF at GGF13 VPN RG – BoF at GGF13 Trusted Computing - BOF at GGF13 Virtual Machines / Isolation / Jailed Environment

7 Scope Candidate Items for the BP 1.0
Communication Channel Security WS-I BSP1.0 (SOAP/HTTPS, SSL, TLS, WS-Security, XML-Signature, XML-Encryption...) Authentication PKI / X509 Identity Certificate The remaining items will be discussed for the BP 2.0 or later version of profiles

8 Schedule Draft will be submitted by Jun.'05 (if assertion communication is not a part of the BP1.0)

9 Profile Contents – Example (1)
Communication Channel Security The profile mandates the use of transport layer security or message level security for secure transmission of messages. R0801 When establishing an HTTP connection a SENDER MUST use HTTP over TLS as profiled by WS-I BSP 1.0 Section 3 and Section 9.

10 Profile Contents – Example (2)
Authentication Consumers and instances SHOULD provide authentication information To provide interoperability, only X509 Identity Certificate based authentication is permitted by the profile.

11 Relationship with WS-I BSP1.0
Schedule the latest version: draft dated Jan.20, '05 Originally, the draft was scheduled to be released in May.'04 No update with their charter WS-I BSP1.0 Extension Points Some statements should be needed for the each extension points WS-I BSP1.0 Requirements Need to find out conflicts against our requirements and to relaxen them if there exist some We are now closely looking at the requirements

12 Outstanding Security Issues for BP1.0
Transport and/or Message Level Security ??MUST/SHOULD?? Discovery of key-info for encryption in message level security Service Group Profile / EPR embedding? Use of Proxy-Certificates (PC) Standard but not widely adopted outside Grid communicate Communication of Assertions Profiles for common assertions in header or PC

13 Communication of Assertions
Communicated Assertions: Proxy-certificates, SAML Identity/Attribute Assertions, VOMS/PERMIS ACs, SAML Authz Decision Assertions, XACML Policy Assertion, ??? plus we communicate EPRs to Attribute Svcs (Shib) or Authz Svcs (PDPs) Inventive ways to communicate: SOAP Headers Proxy-Certificate embedding

14 Assertion Communication not all “standardized”
WS-Security OASIS profile for SAML Proxy-Certificate IETF-RFC But… No WS-Security profile for AC/PC/EPR No profile for proxy-certificate embedding of SAML/AC/EPR To ensure interoperability, we have to standardize those profiles!!! Parties have to know where to put the assertions and where they can find them…

15 Attribute Collection Framework

16 GT Authorization Framework (1)

17 Standardize Assertion Communication
WS-Security profile for AC/PC/EPR ? Not sure if OASIS would be interested? GGF profile for proxy-certificate embedding of SAML/AC/EPR ? Grid community is only user of PCs (it’s our only way to communicate authz assertions…) Need Profiles for BP1.0!

18 Security for BP1.0 Leverage WS-I Issues left:
Gives us 90% of what we need… Issues left: Transport and/or Message Level Security ??MUST/SHOULD?? Discovery of key-info for encryption in message level security Service Group Profile / EPR embedding? Use of Proxy-Certificates (PC) Standard but not widely adopted outside Grid community Communication of Assertions Profiles for common assertions in header or PC Separate Security Basic Profile document?

Download ppt "OGSA-WG Basic Profile Session #1 Security"

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.

© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Web services security I

Web services security I
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Www.ggf.org OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Similar presentations

Ads by Google