draft-ggf-ogsa-sec-roadmap-01.doc

Requestor granted the requestor that requested the

Info icon This preview shows pages 11–13. Sign up to view the full content.

View Full Document Right Arrow Icon
Requestor granted: The requestor that requested the instantiation of the service instance grants it a name. This approach is essentially what occurs with proxy certificates in the 2.0 version of the Globus Toolkit. Self-named: The instance generates its own name either using a standard UUID method or by using some other unique (or statistically unique) identifier such as a public key. 4.2. Translating between Security Realms As described in the OGSA Security Architecture document, entities need the ability to translate between security realms—for example, to request an action at a remote service provider. This translation may lead to the entity encountering different security mechanisms, different organizations with different namespaces and trust roots, or both. To address the difficulties that arise in this context, we must define OGSA services for converting identities, names and policies between realms as well as services for converting credential formats. 4.2.1. Identity Mapping Service Specification This specification defines an OGSA service that allows a client requestor to determine what identity mappings are allowed, by policy, for a particular pair of realms. This specification addresses a critical issue for cross-realm interoperability and is seen as an appropriate first step. This service also needs a management interface that allows appropriately authorized entities to manage this policy. 4.2.2. Generic Name Mapping Specification This specification generalizes the previous specification to define an OGSA service for mapping any sort of defined name for groups, attributes, actions, etc. 4.2.3. Policy Mapping Service Specification Building on the previous name mapping specification, this specification defines an OGSA service for mapping policies between security realms. This specification should consider the WS-Policy specification. 4.2.4. Credential Mapping Service Specification This specification defines an OGSA service that enables the conversion of credentials from one security realm to another in order to enable inter-realm interoperability. It is [email protected] 11
Image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
GWD-I ( draft-ggf-ogsa-sec-roadmap-01 ) Revised 6/14/2018 probable that such a service would also find use as an intra-realm credential conversion service (e.g. to allow requestors to obtain credentials for different identities or rights). So this specification should seek to allow this as well. In is envisioned that this service could use the identity mapping service to help with policy decisions, though it still may require it’s own policy management interface. 4.3. Authentication Mechanism Agnostic OGSA must support multiple authentication mechanisms, including Public Key Infrastructure (PKI) and Kerberos. It will be desirable for OGSA implementations to support multiple mechanisms concurrently in order to support bridging of authentication domains.
Image of page 12
Image of page 13
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern