View
33
Download
0
Category
Preview:
DESCRIPTION
GGF OGSA SEC WG History & Status. Presentation Edited and Modified: Alan J Weissberger Data Communications Technology ajwdct@technologist.com. OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA - PowerPoint PPT Presentation
Citation preview
www.ggf.org
OGSA SEC WG [OGSA= Open Grid Services Architecture]
Co-chairs: Nataraj Nagaratnam, IBM, USA
Marty HumphreyUniversity of Virginia, USA
GGF9 WG session: Oct 7, 2003, Chicago, Illinois
GGF OGSA SEC WG History & Status
Presentation Edited and Modified:
Alan J WeissbergerData Communications Technology
ajwdct@technologist.com
www.ggf.org
OGSA SEC WG Charter
•“Enumerate and address the Grid Security requirements in the context of the OGSA”
•“Leverage… WS-Security… and… WS Security Roadmap”
Primary outcome:doc #1: The Security Architecture for Open Grid Services doc #2: OGSA Security Roadmap
•Secondary outcome:Creation of new GGF WGs to address “gaps” identified by #2
•Synergistic with other efforts (e.g., OASIS, W3C)???• But…no incorporation of IETF Security specs (IP Sec or SSL), no recognition of IEEE 802.1X or knowledge of IEEE 802.1 Link Security!
www.ggf.org
[GGF6] OGSA Security WG Methodology
1st WG meeting at GGF6 (Oct 2002)•What requirements are unique/necessary in Grids?•Do the Architecture/Roadmap cover these?
If not, how to extend documents?
•What components need to be built based on these requirements?•Are any specifications not listed? [AW: IP Sec, SSL, LinkSec?]•Are any of these “boxes” actively being constructed outside of the GGF?What are these? Where are these? Who are building them?
•Which of the (inactive/pending) boxes are urgent?Based on the identified set of specifications that we need to work on, try to prioritize the list and come up with a dependency/deliverable graph
Suggest spinning off workgroups based on specs identified to be started under GGF
www.ggf.org
Current/proposed specs Building on the WS/ SOAP Foundation
This is a This is a composable composable ArchitectureArchitecture
““only use what only use what you need”you need”
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizationWS-Authorization
tim
e
OASIS standard
AW Note: This is the IBM-MSFT WS Roadmap for Security Protocols. Only WS-Security is a standard.
www.ggf.org
OGSA Security Components
Bindings Security(transport, protocol, message security)
Credential and Identity Translation
(Single SignOn)
User Management
Key Management
Intrusion Detection
Service/End-point Policy
Audit &Non-repudiation
Anti-virus Management
Sec
ure
Lo
ggin
g
Tru
st M
ode
l
AuthorizationPolicy
Privacy Policy
Secure Conversations
Policy Expression and Exchange
Policy Management(authorization,
privacy, federation, etc)
MappingRules
Access ControlEnforcement
www.ggf.org
Building Blocks
HTTPhttps
IIOPCSIv2
JMS(MQ)
NT Linux AIX OS/400Solaris z/OS
XML Signature
XML Encryption XACMLXKMS
ds:Signature
xenc:EncryptedData SecurityToken
Assertion Language
WSDL SOAP WS*L...
...
Platform resource security
Protocol layersecurity
XML securitystandards
Web servicesstandards
Message Security
AttributeServiceAuthnService AuthzService AuditService...
AppServer security
Platform (OS) security
Application security (on top of app server)
Security services (TBD)
Exploiters
...
...
WS-Policy WS-TrustPolicy layer
WS-Privacy
WS-Federation WS-SecureConversationWS-Authorization
Federation layer
WS-Routing
www.ggf.org
Category Specifications
Naming OGSA Identity OGSA Target/Action Naming OGSA Attribute and Group Naming Transient Service Identity Acquisition
Translation between Security Realms
Identity Mapping ServiceGeneric Name MappingPolicy Mapping Service Credential Mapping Service
Authentication Mechanism Agnostic
OGSA Certificate Validation ServiceOGSA-Kerberos Services
Pluggable Session Security
GSSAPI-SecureConversation
Pluggable Authorization Service
OGSA-Authorization Service
Roadmap: Proposed Specs. (1)
www.ggf.org
Category Specifications
Authorization Policy Management
Coarse-grained Authorization Policy ManagementFine-grained Authorization Policy Management
Trust Policy Management
OGSA Trust Service
Privacy Policy Management
Privacy Policy Framework
VO Policy Management
VO Policy Service
Delegation Identity Assertion ProfileCapability Assertion Profile
Proposed Specs. (2)Roadmap: Proposed Specs. (2)
www.ggf.org
Category Specifications
Firewall Friendly OGSA Firewall Interoperability
Security Policy Expression and Exchange
Grid Service Reference and Service Data Security Policy Decoration
Secure Service Operation
Secure Service’s Policy and ProcessingService Data Access Control
Audit and Secure Logging
OGSA Audit ServiceOGSA Audit Policy Management
Proposed Specs. (3)Roadmap: Proposed Specs. (3)
www.ggf.org
Web Services Security Progress Since GGF6 (Oct 2002)
• Dec 18, 2002: WS-Policy, WS-PolicyAttachment, WS-PolicyAssertions, WS-SecurityPolicy, WS-Trust, WS-SecureConversation from IBM-MSFT
WS-Policy 1.1 et. al. May 28
• July 2003: WS-Federation• OASIS WS SEC docs for public review (Sept 9)
SOAP Message Security, Username Token Profile, X.509 Cert Token Profile
• XACML ratified as OASIS Open Standard• SAML v1.1 (Sept, 2003)• WS-I creates Basic Profiles for Web Services
www.ggf.org
OGSA SEC WG progress(?) since Oct 2002
•Need to let non-GGF activities progress….
(AW: this is a tacit acknowledgement that there has been no progress since 1st WG Meeting- Oct 2002)
•Focus is on Authorization (OGSA AuthZ WG)
•OGSA SEC WG is “idle” at the moment= hibernating now
•How to get the OGSA SEC WG active again?
•Should they consider IEEE 802.1 Link Sec?
www.ggf.org
AW: What is missing/ wrong?
1. Dependence on a set of WS consortium specs for Security protocols. Only one of those has been Worked in OASIS; others may never be submitted toan open standards body for peer review and approval
2. What if Grid data types are not compatible with WS encoding format (SOAP/XML messages)? For example: floating point numbers, binary data, medicalimages, real time video, storage area network data, etc
3. No consideration of when to use IP Sec, SSL, IEEE802.1x, or even knowledge of IEEE 802.1 Link Security
4. No assumptions as to whether the LAN/MAN link, which connects servers, is secure or has been authenticated.
www.ggf.org
How to get Link Sec->OGSA Sec WG?
•Objective: Include 802.1 Link Sec in WG “Bindings Security” (see OGSA Security Components slide) as 1st
layer of transport (below IP and WS bindings- HTTP, SMTTP, MIME, etc). Defer on IPSec and SSL.Security Components•How to do this? [Assuming WG goes into active mode] - Could establish a liaison between IEEE 802 and GGF - Convey IEEE 802.1 position on need to consider LinkSec in Grid network environment•Individuals may participate in GGF WGs at no charge - Join email reflector and create a new thread(s) - Participate in conference calls and interim meetings•Grid Forge web site will get you to all GGF WGs http://forge.gridforum.org/
Recommended