Presentation is loading. Please wait.

Presentation is loading. Please wait.

GT4 Delegation Service and credential {renewal,refresh} Olle Mulmo.

Published byNathan Porter Modified over 11 years ago

Similar presentations

Presentation on theme: "GT4 Delegation Service and credential {renewal,refresh} Olle Mulmo."— Presentation transcript:

1 GT4 Delegation Service and credential {renewal,refresh} Olle Mulmo

2 Background l Two conflicting requirements: u Long-term, distributed services that operate in a given (user) security context u No long-term credentials

3 Credential renewal, take 1 l What we did to address this: u Augment existing delegation service with renewal capabilities u No change to existing code, just addition

4 Service Container 1 Container 2 p1 p2p3 Container 3 p4 DS Delegation Resources Use case Service EPR(p2) EPR(p3) Delegate What to do if p2 is destroyed p2,p3,p4 expires If p2 gets refreshed, we want p3 and p4 refreshed as well transient errors occur (network outage or container downtime) Stuff happens

5 Service Container 1 Container 2 p1 p2p3 Container 3 p4 Renewal thread {p2,p3} {p2,p4} DS Delegation Resources Renewal Resources Delegation Resources Listener Renewal Service Service What to do if p2 is destroyed Cascading destroy p2,p3,p4 expires Periodical refresh and non-defaul resource termination time If p2 gets refreshed, we want p3 and p4 refreshed as well Cascading refresh transient errors occur (network outage or container downtime) Failure retry interval

6 Renewal resource l EndpointReferenceType parent l EndpointReferenceType child l Subject subject l Boolean cascadingDestroy l Boolean cascadingRefresh l Boolean periodicRenewal l int refreshMargin l int retryInterval l int expirationMargin l Boolean fullDelegation l X509Certificate serverCert l int validity l Calendar terminationTime l … and a few runtime variables such as failure count, last renewal attempt, child termination time … These are mandatory, all other are optional (container-wide defaults)

7 Intervals and margins validity Child credential Child credential resource expiration margin refresh margin Time refresh margin retry interval t0t1t2t5t4t3

8 Notes l Renewal must be co-located with parent credential u Push model l If parent or child resource is destroyed or terminated, we cant recover u By default, delegation resource termination time is set to credential.notAfter() l Currently no access control on renewal resources u Ability to circumvent delegation resource protection for credential access (parent EPR + subject) u Needs discussion

Download ppt "GT4 Delegation Service and credential {renewal,refresh} Olle Mulmo."

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
The Coin Game. SUPPLY CHAIN BASICS Key Learning Points: The dynamics of a supply chain The benefits to be gained from Supply Chain Visibility Demand/Supply.

The Coin Game. SUPPLY CHAIN BASICS Key Learning Points: The dynamics of a supply chain The benefits to be gained from Supply Chain Visibility Demand/Supply.
Clonazione La clonazione... Ovvero: come costruire una copia (probabilmente che ritorni true su equals?)

Clonazione La clonazione... Ovvero: come costruire una copia (probabilmente che ritorni true su equals?)
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen.

1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen.
GT4 Architectural Security Review December 17th, 2004.

GT4 Architectural Security Review December 17th, 2004.
1 Implementation Plan April 2006. 2 THE CONCEPT OF SAFETY MANAGEMENT Philosophy of Safety Management Safety Monitoring Safety Assessment Safety Auditing.

1 Implementation Plan April THE CONCEPT OF SAFETY MANAGEMENT Philosophy of Safety Management Safety Monitoring Safety Assessment Safety Auditing.
Knowledge Creation Tools for DAML Grit Denker, Jerry R. Hobbs, David Martin Srini Narayanan, Richard Waldinger SRI International.

Knowledge Creation Tools for DAML Grit Denker, Jerry R. Hobbs, David Martin Srini Narayanan, Richard Waldinger SRI International.
WS-Policy F2F Austin, TX July 2006 Report on WS-Policy Interop Workshop of April 2006 (Round 3) Toufic Boubez Layer 7 Technologies.

WS-Policy F2F Austin, TX July 2006 Report on WS-Policy Interop Workshop of April 2006 (Round 3) Toufic Boubez Layer 7 Technologies.
Geneva, 28 May 2010 PBB-TE Infrastructure Protection Switching Operation Bob Sultan, Huawei Technologies Joint ITU-T/IEEE Workshop on The Future of Ethernet.

Geneva, 28 May 2010 PBB-TE Infrastructure Protection Switching Operation Bob Sultan, Huawei Technologies Joint ITU-T/IEEE Workshop on The Future of Ethernet.
1 Processes and Threads Creation and Termination States Usage Implementations.

1 Processes and Threads Creation and Termination States Usage Implementations.
Modeling of Signaling Pathways Based on Petri nets

Modeling of Signaling Pathways Based on Petri nets
IBM Systems Group © 2004 IBM Corporation Nick Jones What could happen to your data? What can you do about it?

IBM Systems Group © 2004 IBM Corporation Nick Jones What could happen to your data? What can you do about it?
Modeling Software Systems Lecture 2 Book: Chapter 4.

Modeling Software Systems Lecture 2 Book: Chapter 4.
School of Computer Science & Software Engineering

School of Computer Science & Software Engineering
Internet Rechartering Update System Enhancements October 1, 2010.

Internet Rechartering Update System Enhancements October 1, 2010.
OpenMP.

OpenMP.
Principles of Engineering System Design Dr T Asokan

Principles of Engineering System Design Dr T Asokan
Chris Morgan, MATH G160 January 30, 2012 Lecture 9 Chapter 4.1: Combinations 1.

Chris Morgan, MATH G160 January 30, 2012 Lecture 9 Chapter 4.1: Combinations 1.
TRAINING MANAGEMENT SOP

TRAINING MANAGEMENT SOP

Similar presentations

Ads by Google