7c67a72c084351246dc4ba61aa772104.ppt
- Количество слайдов: 15
PAPI 2 Distributed trust model and AA interoperability
Elements for the new version • New platforms • Convergence to other solutions • A distributed trust model 2
New Platforms IIS Apache Po. A Squid Po. A Other ? Po. A ? PAPI library 3
A Little Review PAPI AS Authentication tokens Browser 302+data 302+ Hcook GPo. A Hcook- Lcook Po. A 4
A Little Review University Po. A Departments Servers Po. A Same policy Simplifies management • There is one aggregator for all the hierarchy • It is not necessary to notify about new Po. As X Children have the same policy than their parent • New access control policies are needed 5
More functionality for the model • More information to control the access § Attributes • Off-line • On-line § Offline solution -> Privacy problem § Online solution -> online element serving the attributes 6
Attribute Authority: Aproximation to the Shibboleth model Authentication Attr. Auth Server Authentication data Temporary Signed-URLs Attributes? Signed-URL Web browser Encry-cookie Point of Access Encry-cookies 7
PAPI - Shibboleth models Authentication Attr. Auth Server Authentication data Temporary Signed-URLs Attributes? Signed-URL Web browser Shar Shire Po. A Encry-cookies Encry-cookie R. M. 8
Interoperability • Starting to define a interoperability scenarios: PAPI - Shibboleth • Interoperability aspects: § Protocol between SHAR and AA = SAML (syntax and semantics) -> open. SAML § Po. A should be able to manage Shibboleth user handles and interact with WAYF elements § Trust model 9
PAPI - Trust model • Two components § Horizontal trust: between ASes and target sites § Vertical trust: between Po. As of a organization • Requirements of the model § Easy to manage § Not centralized • Not TTP (third trust party) • Not dedicated staff to manage it § Avoid revocations 10
Trust model AS AA 1 Po. A 1 C 1: Cert Po. A 1 AS AA 2 C 1: Cert Po. A 1 SC 3 (Attributes ? ) Po. A 2 Po. A SAA(KC 3 (Attributes)) SC 4 (Attributes ? ) AS AA 3 C 2: Cert Po. A 2 SAA(KC 4 (Attributes)) Po. A 3 C 3: SPo. A 1(Cert Po. A 3) C 4: SPo. A 2(Cert Po. A 3) Pub keys of AAs 11
Some managment examples: New Po. A in the fabric AA 1 Po. A 1 Cert Po. A 1 Po. A 2 AA 2 Cert Po. A 2 Sign request Pub key of Po. A 2 Pub key of Po. A 3 SPo. A 1(Cert Po. A 3) + SPo. A 2(Cert Po. A 3) + Pubs of AAs 12
Some managment examples: New AA in the fabric Pub key of AA AA 1 Cert of Po. A 1 Po. A 2 AA 2 Cert of Po. A 1 Po. A 3 Pub key of new AA SPo. A 1(Cert Po. A 3) 13
Some management examples: New keys in a trusted Po. A Pub key of Po. A 1 AA Po. A 1 Pub key of Po. A 1 Cert Po. A 1 Po. A 2 Sign request Resign needed Po. A 3 SPo. A 1(Cert Po. A 3) Pub keys of AAs 14
Current status • Core library available § Openssl § Libxml § Xmlsec • Implementations running on IIS and Apache • Ready for interoperability tests with Shibboleth • Implementing and evaluating the trust model 15
7c67a72c084351246dc4ba61aa772104.ppt