Скачать презентацию PAPI 2 Distributed trust model and AA interoperability Скачать презентацию PAPI 2 Distributed trust model and AA interoperability

7c67a72c084351246dc4ba61aa772104.ppt

  • Количество слайдов: 15

PAPI 2 Distributed trust model and AA interoperability PAPI 2 Distributed trust model and AA interoperability

Elements for the new version • New platforms • Convergence to other solutions • Elements for the new version • New platforms • Convergence to other solutions • A distributed trust model 2

New Platforms IIS Apache Po. A Squid Po. A Other ? Po. A ? New Platforms IIS Apache Po. A Squid Po. A Other ? Po. A ? PAPI library 3

A Little Review PAPI AS Authentication tokens Browser 302+data 302+ Hcook GPo. A Hcook- A Little Review PAPI AS Authentication tokens Browser 302+data 302+ Hcook GPo. A Hcook- Lcook Po. A 4

A Little Review University Po. A Departments Servers Po. A Same policy Simplifies management A Little Review University Po. A Departments Servers Po. A Same policy Simplifies management • There is one aggregator for all the hierarchy • It is not necessary to notify about new Po. As X Children have the same policy than their parent • New access control policies are needed 5

More functionality for the model • More information to control the access § Attributes More functionality for the model • More information to control the access § Attributes • Off-line • On-line § Offline solution -> Privacy problem § Online solution -> online element serving the attributes 6

Attribute Authority: Aproximation to the Shibboleth model Authentication Attr. Auth Server Authentication data Temporary Attribute Authority: Aproximation to the Shibboleth model Authentication Attr. Auth Server Authentication data Temporary Signed-URLs Attributes? Signed-URL Web browser Encry-cookie Point of Access Encry-cookies 7

PAPI - Shibboleth models Authentication Attr. Auth Server Authentication data Temporary Signed-URLs Attributes? Signed-URL PAPI - Shibboleth models Authentication Attr. Auth Server Authentication data Temporary Signed-URLs Attributes? Signed-URL Web browser Shar Shire Po. A Encry-cookies Encry-cookie R. M. 8

Interoperability • Starting to define a interoperability scenarios: PAPI - Shibboleth • Interoperability aspects: Interoperability • Starting to define a interoperability scenarios: PAPI - Shibboleth • Interoperability aspects: § Protocol between SHAR and AA = SAML (syntax and semantics) -> open. SAML § Po. A should be able to manage Shibboleth user handles and interact with WAYF elements § Trust model 9

PAPI - Trust model • Two components § Horizontal trust: between ASes and target PAPI - Trust model • Two components § Horizontal trust: between ASes and target sites § Vertical trust: between Po. As of a organization • Requirements of the model § Easy to manage § Not centralized • Not TTP (third trust party) • Not dedicated staff to manage it § Avoid revocations 10

Trust model AS AA 1 Po. A 1 C 1: Cert Po. A 1 Trust model AS AA 1 Po. A 1 C 1: Cert Po. A 1 AS AA 2 C 1: Cert Po. A 1 SC 3 (Attributes ? ) Po. A 2 Po. A SAA(KC 3 (Attributes)) SC 4 (Attributes ? ) AS AA 3 C 2: Cert Po. A 2 SAA(KC 4 (Attributes)) Po. A 3 C 3: SPo. A 1(Cert Po. A 3) C 4: SPo. A 2(Cert Po. A 3) Pub keys of AAs 11

Some managment examples: New Po. A in the fabric AA 1 Po. A 1 Some managment examples: New Po. A in the fabric AA 1 Po. A 1 Cert Po. A 1 Po. A 2 AA 2 Cert Po. A 2 Sign request Pub key of Po. A 2 Pub key of Po. A 3 SPo. A 1(Cert Po. A 3) + SPo. A 2(Cert Po. A 3) + Pubs of AAs 12

Some managment examples: New AA in the fabric Pub key of AA AA 1 Some managment examples: New AA in the fabric Pub key of AA AA 1 Cert of Po. A 1 Po. A 2 AA 2 Cert of Po. A 1 Po. A 3 Pub key of new AA SPo. A 1(Cert Po. A 3) 13

Some management examples: New keys in a trusted Po. A Pub key of Po. Some management examples: New keys in a trusted Po. A Pub key of Po. A 1 AA Po. A 1 Pub key of Po. A 1 Cert Po. A 1 Po. A 2 Sign request Resign needed Po. A 3 SPo. A 1(Cert Po. A 3) Pub keys of AAs 14

Current status • Core library available § Openssl § Libxml § Xmlsec • Implementations Current status • Core library available § Openssl § Libxml § Xmlsec • Implementations running on IIS and Apache • Ready for interoperability tests with Shibboleth • Implementing and evaluating the trust model 15