Papi 2 distributed trust model and aa interoperability
Sponsored Links
This presentation is the property of its rightful owner.
1 / 15

PAPI 2 Distributed trust model and AA interoperability PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on
  • Presentation posted in: General

PAPI 2 Distributed trust model and AA interoperability. Elements for the new version. New platforms Convergence to other solutions A distributed trust model. PoA. PoA. PoA. PoA. ?. ?. New Platforms. IIS. Apache. Squid. Other. PAPI library. 302+data. GPoA. PoA. 302+ Hcook.

Download Presentation

PAPI 2 Distributed trust model and AA interoperability

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


PAPI 2Distributed trust model and AA interoperability


Elements for the new version

  • New platforms

  • Convergence to other solutions

  • A distributed trust model


PoA

PoA

PoA

PoA

?

?

New Platforms

IIS

Apache

Squid

Other

PAPI

library


302+data

GPoA

PoA

302+ Hcook

A Little Review

PAPI

AS

tokens

Authentication

Browser

Hcook- Lcook GPoA

Hcook- LcookPoA


PoA

PoA

PoA

PoA

PoA

A Little Review

University

Departments

Servers

Same policy

 Simplifies management

  • There is one aggregator for all the hierarchy

  • It is not necessary to notify about new PoAs

    XChildren have the same policy than their parent

  • New access control policies are needed


More functionality for the model

  • More information to control the access

    • Attributes

      • Off-line

      • On-line

    • Offline solution -> Privacy problem

    • Online solution -> online element serving the attributes


Attributes

Temporary

Signed-URLs

Authentication

data

Attributes?

Point of

Access

Signed-URL

Encry-cookie

Attribute Authority: Aproximation to the Shibboleth model

Authentication

Server

Attr. Auth

Web

browser

Encry-cookies


Attributes

Temporary

Signed-URLs

Authentication

data

Attributes?

Shar

Shire

R.M.

PAPI - Shibboleth models

Authentication

Server

Attr. Auth

Signed-URL

Web

browser

PoA

Encry-cookies

Encry-cookie


Interoperability

  • Starting to define a interoperability scenarios: PAPI - Shibboleth

  • Interoperability aspects:

    • Protocol between SHAR and AA = SAML (syntax and semantics) -> openSAML

    • PoA should be able to manage Shibboleth user handles and interact with WAYF elements

    • Trust model


PAPI - Trust model

  • Two components

    • Horizontal trust: between ASes and target sites

    • Vertical trust: between PoAs of a organization

  • Requirements of the model

    • Easy to manage

    • Not centralized

      • Not TTP (third trust party)

      • Not dedicated staff to manage it

    • Avoid revocations


SC3 (Attributes ?)

SAA(KC3 (Attributes))

SC4 (Attributes ?)

SAA(KC4 (Attributes))

Trust model

AS

AA1

PoA1

C1: Cert PoA1

AS

AA2

PoA2

PoA

C1: Cert PoA1

PoA3

AS

AA3

C3: SPoA1(Cert PoA3)

C2: Cert PoA2

C4: SPoA2(Cert PoA3)

Pub keys of AAs


Pub key of PoA2

Pub key of PoA3

Sign request

PoA3

Some managment examples: New PoA in the fabric

AA1

PoA1

Cert PoA1

PoA2

AA2

Cert PoA2

SPoA1(Cert PoA3) +

SPoA2(Cert PoA3) + Pubs of AAs


Pub key of AA

Cert of PoA1

Some managment examples: New AA in the fabric

AA1

PoA1

Cert of PoA1

PoA2

AA2

Cert of PoA1

PoA3

Pub key of new AA

SPoA1(Cert PoA3)


Pub key of PoA1

Pub key of PoA1

Resign needed

Sign request

Some management examples: New keys in a trusted PoA

AA

PoA1

Cert PoA1

PoA2

PoA3

SPoA1(Cert PoA3)

Pub keys of AAs


Current status

  • Core library available

    • Openssl

    • Libxml

    • Xmlsec

  • Implementations running on IIS and Apache

  • Ready for interoperability tests with Shibboleth

  • Implementing and evaluating the trust model


  • Login