Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans

1. Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14th Salt Lake City Leon Gommans lgommans@science.uva.nl Advanced Internet Research Group Informatics Institute University of Amsterdam

2. Goal • Show authorization framework concepts of RFC2904 applied to the Grid ( at FL300 ) • Show current implementation based on Globus Security Infrastructure (www.globus.org) • Show possible future authorization concepts.

3. Grids • Allow individuals / institutes in science or industry to form virtual organizations as to pool resources (computers, networks, data) and pursue a common goal. • Current GRID Security Infrastructure (GSI): • Allows access to multi-domain resources with a single sign-on • Allows organizations to remain in control of their resources • GSS-API / TLS based More details: http://www.globus.org/documentation/incoming/butler.pdf

4. Use of X509 Certificates and Proxy Certificates to *: • Remote login and access control for "standard" services.Client/server and server/client authentication.Authenticated and encrypted messages via GSS.Authenticated and encrypted streams via SSL and TLS.Authenticated and encrypted Web server access via https • Impersonate and establish (a chain of) delegation. *) Ref: http://archive.ncsa.uiuc.edu/General/GridForum/SWG/taxonomy.html and draft-ietf-pkix-proxy-01.txt

5. Trust Relationship User Home Org AAA User Admin Authorization Request User Token Trust Relationship Service Request + Token Service Provider Service Ack AAA Service Admin RFC 2904 Roaming Push Model and trust relationships

6. Globus GRID Model AAA Grid RA/CA AAA AAA AAA Registration Request + Unsigned Certificate Certificate SN = John Issuer=CA User CRL Logon sequence Unsigned Impersonation Certificate End Entity Private key Certificate SN = “” or ? Altname = John / Proxy Issuer=John AAA Grid Resources AAA AAA AAA Note: Push sequence is reversed Hybrid push/pull ? Proxy Private key user authorizes impersonation to enable single sign-on access to grid resources

7. Globus GRID Model Grid RA/CA List of subjects and their authorizations (gridmapfile) User (offline) CA Cert Request CA Cert John Sue AAA Grid Resources (offline) Service Subscription process AAA AAA AAA Users need to be authorized by service for access Users need to register with service to enable services

8. John’s Credentials User Gatekeeper (Proxy) CA(‘s) John Sue AAA CRL  John Proxy Credentials John Proxy Credentials Resource 1 Resource 2 RFC2904 Distributed Services Model John Proxy Credentials AAA AAA John Sue John Dave List of global subjects and their authorizations Service Domain A Service Domain B

9. “Industrializing” the Grid • Allow commercial organizations to collaborate in easy to use, secure and reliable fashion • interoperability, confidentiality, privacy, availability, integrity etc. • Ad hoc usage of Grid available resources need to be converted in units that can be settled as subscribed services do not scale. • resource usage, storage, digital rights etc. • Grid resources need procurement, user in driving seat. • user authorizes usage up to a certain limit.

10. Workflow • create relationship with home organization that can authorize a usage limit. • create relationship with organization that represents a community and authorizes access to and usage of resources belonging to a Virtual Organization based on authorized usage limit. • use resources based on authorization from Virtual Organization

11. Home Org Home Authorization User Community Org Community Authorization User Authorization Grid Service Provider Grid Services Roaming authorization Push Model as one of many options

12. Thank you More info draft-ietf-pkix-proxy-01.txt www.globus.org www.ggf.org www.aaaarch.org