hi, Thanks for throwing out those points. 2009/3/17 Morris Riedel <m.riedel@fz-juelich.de>
Hi PGI security folks,
currently I see five major elements in terms of security related to PGI:
(1) Authentication/Attribute-based Authorization (i.e. plumbings as named earlier), maybe first push-based before looking at pull-based models - although, this of course, can be discussed as well among us.
If we are talking about attributes carried inside SAML assetion, getting the attributes from attribute authority is not a challenge, for instance we can use the VOMS SAML service (client gets back SAML assertion that including attributes through SSL authentication with VOMS SAML service) as a candidate. But how to push the SAML assertion from client side to service side could be a challenge (for which voms has not provided solution, IMO). I can see two ways: one ways is put the SAML assertion into X.509 proxy certificate's extension, by which you can gurantee that the attributes information is binded with SSL authentication; the other way is to put SAML assertion in the SOAP header, which furtherly cause two branches: First brach, using the SAML assertion for message (SOAP) level authentication + attribute carraying (in this case the VOMS SAML service should probably be improved to creat SAML response containing a holder-of-key authentication assertion, then this assertion can be used for message level authentication according to WS-Security SAML Token profile 1.1); Second branch, using SAML assetion only for attribute carraying (in this case, the transport level securiry should be configured). I heard that VOMS attribute service is used in UNICORE, could some collegues provide some details about how the above scenario is processed? In case of ARC, it can get back SAML assertion from VOMS SAML service, and it can put the SAML assertion as extension of proxy certificate; It also support WS-Security (SAML Token profile, as well as UsernameToken and X.509 Token), but how to getting a SAMLToken is lacked. Maybe people from OGSA-AuthZ group can give some suggestions.
(2) Agreement on Definition/Semantics/Structure of Attributes
Has the usage of SAML attribute assertion been decided?
(3) Encoding of delegation restriction/constraints
The restriction is about what kind of policy will be used?
(4) Interface of delegation service (maybe based on subset of WS-Trust)
(5) Agreement on third party credentials transportation (e.g. a delegated GridFTP proxy/SAML assertion-based access for data-staging during BES submissions)
As a starting point - have I forgot something in this enumeration? If so - please answer to this thread.
In terms of priorities, I would suggest to focus first on number one, but of course feel free to comment within this thread.
Agree, IMO, the whole profile which will be adopted is mostly important. Regards, Weizhong
Your co-chair, Morris
P.S. I cc'ed the area director of security (David Groep) to ensure that we did not duplicate efforts done elsewhere (i.e. in the OGSA-AuthZ group). We have been in touch about a few security issues raised in GIN earlier. CIAO.
------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany
Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg