draft-ggf-ogsa-sec-roadmap-01.doc

A number of the ogsa security specifications proposed

Info icon This preview shows pages 9–11. Sign up to view the full content.

View Full Document Right Arrow Icon
A number of the OGSA security specifications proposed in this roadmap will specify an OGSA service. In the scope of this document an OGSA service is defined as the WSDL defining a serviceType as defined in [OGSA spec] as well as the semantics for a service implementing that serviceType. 4.1. Naming The OGSA Security Architecture document defines a number of requirements that demand that OGSA be able to assign names to users, services, groups, attributes, and actions (methods). In particular: Authorization enforcement: It is expected that most policy evaluation implementations will require names for the requestor, service provider, their attributes, the requested action, etc., in order to perform the evaluation. In order to create a standard interface to arbitrary policy evaluation services for use by OGSA services, the forms of these names need to be standardized. In addition to make sure that policy evaluation is done correctly, this dictates that names be unique across different realms. Attribute binding: Attributes are often bound to an entity via the name of the entity. Since the binding can be done by one entity and then evaluated by a different entity, possibly in a different realm, the method for expressing names needs to be consistent. Auditing: The names of entities and actions, in particular, will often be put into audit logs. Since the entity doing the logging may be different than the entity parsing the audit log, the method for expressing names needs to be consistent. While in many cases an existing mechanism will provide a name—in particular, users and services will have identities from their authentication credentials—it must be specified how the name from the mechanism should be canonicalized for use in OGSA. Recall that OGSA allows for the dynamic creation of stateful transient services. This capability introduces another challenge. Service requestors must be able to establish trust of these transient services since they will potentially send them sensitive data or delegate credentials to them as part of a request. Thus, these services need unique, assertable identities so that requestors can make authorization decisions either based on the identity itself and/or on attributes that are associated with the identity. We propose four specifications to address the naming requirements discussed: one for the naming of entities, one for naming targets or actions on OGSA services, one for naming attributes and groups and one for the naming of transient services. [email protected] 9
Image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
GWD-I ( draft-ggf-ogsa-sec-roadmap-01 ) Revised 6/14/2018 4.1.1. OGSA Identity Specification Names for OGSA entities (users or services) are required for all requirements listed above. Authorization enforcement will require names for the entities (users or services) involved in the request – the requestor and the service provider. Auditing will require names for the entity in the audit log. And attribute binding will need names for the entity to which the attribute is being bound. Because of this, a standard means for naming
Image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern