Скачать презентацию GSI Online Credential Retrieval Requirements Jim Basney jbasney ncsa Скачать презентацию GSI Online Credential Retrieval Requirements Jim Basney jbasney ncsa

446e9c851260a93926e0a0c2887b9f5a.ppt

  • Количество слайдов: 10

GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa. uiuc. edu National Computational Science http: GSI Online Credential Retrieval Requirements Jim Basney [email protected] uiuc. edu National Computational Science http: //www. ncsa. uiuc. edu/~jbasney/ National Computational Science National Center for Supercomputing Applications National Computational Science

Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify Authorization National Computational Science Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify Authorization National Computational Science Retrieve Credential National Center for Supercomputing Applications National Computational Science

Motivation for OCR • Credential management – Securely manage credential files on user’s behalf Motivation for OCR • Credential management – Securely manage credential files on user’s behalf – Ease use of multiple credentials • Credential translation – Single sign-on to multiple authentication mechanisms and domains • Credential renewal by trusted services – Alternative to delegating long-lived proxies • Indirect credential delegation National Computational Science – Example: web portals National Center for Supercomputing Applications National Computational Science

OCR Examples Service Auth Method Credential My. Proxy Password X 509 user proxy K OCR Examples Service Auth Method Credential My. Proxy Password X 509 user proxy K 5 Cert Kerberos K 5 CA issued X 509 cert CAS GSI X 509 community proxy GSIklog GSI AFS token SSLK 5 SSL Kerberos ticket Kerberos KDC AS_REQ+preauth Kerberos ticket CA OOB or IAK CA issued X 509 certificate National Center for Supercomputing Applications National Computational Science

OCR Implementations • Online Credential Authority – Examples: Online CA, Kerberos KDC – Creates OCR Implementations • Online Credential Authority – Examples: Online CA, Kerberos KDC – Creates credentials on demand – Vulnerability of authority’s private key a concern • Encrypted credential repository – Credentials stored encrypted in the repository – Credentials may be opaque to protocol and repository – Requires client to decrypt credentials on receipt • Delegating credential repository National Computational Science – Unencrypted credential stored in repository – Server delegates credential to client National Center for Supercomputing Applications National Computational Science

Proposed GGF Activity • OCR Requirements document – What OCR services are needed for Proposed GGF Activity • OCR Requirements document – What OCR services are needed for Grids? • OCR Framework document – Address policy issues of credential repositories, credential translation, credential renewal – Recommendations for interoperability • OCR Protocol document – Define an OCR protocol framework that enables interoperability between different types of OCR services National Computational Science – Share mechanisms between OCR implementations (auditing, delegation tracing, event notification, etc. ) National Center for Supercomputing Applications National Computational Science

Standards Activity • IETF SACRED WG – Credential format MUST be opaque to the Standards Activity • IETF SACRED WG – Credential format MUST be opaque to the protocol – Protocol MUST NOT force credentials to be present in clear text on the server • IETF PKIX WG – Online Certificate Authorities – Certificate request may include Initial Authentication Key National Computational Science National Center for Supercomputing Applications National Computational Science

Protocol Requirements • Mutual authentication – Client-side configuration required to authenticate server • Multiple Protocol Requirements • Mutual authentication – Client-side configuration required to authenticate server • Multiple authentication mechanisms – Password, GSI, Kerberos • Delegate different credential types – X 509 cert, X 509 proxy, Kerberos ticket • Client can choose among available credentials – Query available credentials and choose – Request credential that meets specification • Administrative protocols – Credential upload and remove National Computational Science – Authorization control (user, administrator, and community) • OGSA-compliant National Center for Supercomputing Applications National Computational Science

OCR Issues • Authorization • Restricted delegation • Delegation tracing across multiple mechanisms • OCR Issues • Authorization • Restricted delegation • Delegation tracing across multiple mechanisms • Audit trail • Notification services • Compatibility with site security policies • Availability/Replication National Computational Science National Center for Supercomputing Applications National Computational Science

Discussion • Is there a need for OCR services in the Grid? – If Discussion • Is there a need for OCR services in the Grid? – If so, what types of OCR services are needed? • Will production Grid policies allow OCR services? – Centralized key storage – Transitive trust • Is there interest in GGF OCR activity? • Any comments on requirements draft? • Other comments or discussion topics? National Computational Science National Center for Supercomputing Applications National Computational Science