Skip to main content
SpringerLink
Log in

Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4

  • Conference paper
Public Key Infrastructure (EuroPKI 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3545))

Included in the following conference series:

Abstract

The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of authentication from authorization issues, and in the second place not designing them over the OGSI/WSRF defined mechanisms and specifications. In this paper we are proposing a new Security Framework that unifies identified common points of both features, Authentication and Authorization, into a mechanism called validation policy which is expected to improve service performance and security. Our framework seeks to implement these aspects over the Grid Service’s Operations and Service Data concepts to fully exploit its functionalities. The paper also presents the integration of an enhanced OCSP Service Provider into the Globus Toolkit 3.9.4 as a first proof of concept.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Foster, I., Kesselman, C., Nick, J., Tuecke, S.: The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration. Globus Project (2002), http://www.globus.org/research/papers/ogsa.pdf

  2. The WS-Resource Framework, http://www.globus.org/wsrf/

  3. Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective. The Globus Security Team. Version 2 (December 2004), http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf

  4. Burrows, M., Abadi, M., Needham, R.M.: A Logic of Authentication. ACM Transactions on Computer Systems 8(1), 18–36 (1990); A Formal Semantics for Evaluating Cryptographic Protocols p. 14, http://citeseer.ist.psu.edu/burrows90logic.html

  5. Baker, R., Gommans, L., McNab, A., Lorch, M., Ramakrishnan, L., Sarkar, K., Thompson, M.R.: Conceptual Grid Authorization Framework and Classification. In: Global Grid Forum Working Group on Authorization Frameworks and Mechanisms (February 2003), http://www.ggf.org/Meetings/ggf7/drafts/authz01.pdf

  6. Vollbrecht, J., et al.: RFC 2904: AAA Authorization Framework (August 2000)

    Google Scholar 

  7. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Sloman, M. (ed.) Proc. of Policy Worshop, Bristol UK (January 2001), http://citeseer.ist.psu.edu/damianou01ponder.html

  8. Welch, V., et al.: Use of SAML for OGSA Authorization. In: OGSA-Security Working Group, Global Grid Forum. Working document (February 2003), http://www.cs.virginia.edu/~humphrey/ogsa-sec-wg/

  9. Pearlman, L., et al.: A Community Authorization Service for Group Collaboration. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002). IEEE Computer Society, Los Alamitos (2002)

    Google Scholar 

  10. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Security Services Technical Committee. Version 1.1 (September 2003), http://www.oasis-open.org/committees/security/

  11. Welch, V., et al.: OGSA Authorization Requirements. In: OGSA-Authorization Working Group, Global Grid Forum. Working document (June 2003), https://forge.gridforum.org/projects/ogsa-authz/document/

  12. Cruellas, J.C., et al.: OASIS: DSS Profiles Discussion Document. Working Draft 02 (February 2004), http://www.oasis-open.org/committees/dss/

  13. ETSI TR 102 041: Electronic Signatures and Infrastructures (ESI); Signature Policies Report. ETSI ESI group. Version 1.1.1 (February 2002), http://portal.etsi.org/esi/el-sign.asp

  14. CertiVeR: Certificate Revocation and Validation Service, http://www.certiver.com

  15. von Laszewski, G., Foster, I., Gawor, J., Lane, P.: A Java Commodity Grid Kit. Concurrency and Computation: Practice and Experience 13(8-9), 643–662 (2001), http://www.cogkit.org/

  16. Thompson, M., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Information and System Security (TISSEC) 6(4), 566–588 (2003), http://dsd.lbl.gov/security/Akenti/Papers/

  17. Thompson, M., et al.: Distributed Security Architectures – Providing security services for Grids. Working Document (March 2004), http://dsd.lbl.gov/security/SciDac-DistSec-2pager04.pdf

  18. Chadwick, D., Otenko, A.: The PERMIS X.509 Role based privilege management infrastructure. In: 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002) (June 2002), http://www.acm.org/sigs/sigsac/sacmat

  19. Sinnott, R.O., Stell, A.J., Chadwick, D.W., Otenko, O.: Experiences of Applying Advanced Grid Authorisation Infrastructures. In: Accepted for the European Grid Conference (EGC 2005), Science Park Amsterdam, The Netherlands, February 14-16 (2005), http://labserv.nesc.gla.ac.uk/projects/dyvose/publicity/eGridFinalv4.pdf

  20. Carmody, S.: Shibboleth Overview and requirements. Shibboleth Working Group Overview and Requirements Document (February 2001), http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html

  21. GridShib: A Policy Controlled Attribute Framework, http://grid.ncsa.uiuc.edu/GridShib/

  22. Cardea: Dynamic Access Control in Distributed Systems. NASA Advanced Supercomputing Division. Technical Report (November 2003), http://www.nas.nasa.gov/News/Techreports/2003/PDF/nas-03-020.pdf

  23. Moses, T., et al.: OASIS eXtensible Access Control Markup Language (XACML) 2.0. Committee Draft 4 (December 2004), http://www.oasis-open.org/committees/xacml/

  24. Alfieri, R., et al.: VOMS, an Authorization System for Virtual Organizations. In: Presented at the 1st European Across Grids Conference, Santiago de Compostela, Spain (February 2003), http://infnforge.cnaf.infn.it/voms/VOMS-Santiago.pdf

  25. OCSP Requirements for Grids. Global Grid Forum, CA Operations Work Group. Working Document (February 2005), https://forge.gridforum.org/projects/caops-wg

  26. ETSI TR 102 038: Electronic Signatures and Infrastructures (ESI); XML format for signature policies. ETSI ESI group. Version 1.1.1 (April 2002), http://portal.etsi.org/esi/el-sign.asp

Download references

Author information

Authors and Affiliations

  1. Computer Architecture Department, Polytechnic University of Catalonia, Jordi Girona 1-3, 08034, Barcelona, Spain

    Jesus Luna & Manel Medina

  2. CertiVeR, Technical Director, Diputacion 238, 08007, Barcelona, Spain

    Oscar Manso

Authors
  1. Jesus Luna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manel Medina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oscar Manso
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computing Laboratory, University of Kent, UK

    David Chadwick

  2. The Computing Laboratory, University of Kent, CT2 7NF, Canterbury, UK

    Gansen Zhao

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Luna, J., Medina, M., Manso, O. (2005). Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4. In: Chadwick, D., Zhao, G. (eds) Public Key Infrastructure. EuroPKI 2005. Lecture Notes in Computer Science, vol 3545. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11533733_3

Download citation

  • DOI: https://doi.org/10.1007/11533733_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28062-0

  • Online ISBN: 978-3-540-31585-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation