Attributes and VOs: Extending the UNICORE Authorisation Capabilities (original) (raw)
Related papers
Key aspects of the UNICORE 6 security model
Future Generation Computer Systems, 2011
This paper presents the security architecture of the sixth version of the UNICORE grid middleware. The sixth iteration of UNICORE introduced a number of new, security-related solutions which make UNICORE distinguishable from the other grid middleware as Globus, gLite or NorduGrid ARC, and these are presented in this paper. The paper discusses the low level security: users authentication, non-repudiation control and trust delegation. The UNICORE unique approach to the challenge of trust delegation is called explicit trust delegation (ETD); discussion of this constitutes the most significant and extensive part of this paper. ETD is compared with the popular grid security infrastructure (GSI). High level security services (such as authorization services) are not described in this paper.
Extending UNICORE 5 Authentication Model by Supporting Proxy Certificate Profile Extensions
Lecture Notes in Computer Science, 2008
Authentication interoperability between the UNICORE grid middleware system and other Grid middleware systems is addressed. An approach to extending the UNICORE authentication model to support a proxy certificate (RFC3280) profile is presented. This optional feature can then be enabled based on site policy. Furthermore, the addition capacitates further advances related to authorization. With interoperability becoming a key issue in many production environments, extending the generality of UNICORE in this way opens up the possibility of direct and general interoperability scenarios.
An Analysis of the UNICORE Security Model Status of This Memo
2003
This memo provides information to the Grid community. Distribution is unlimited. Document Version: 1.06 Copyright © Global Grid Forum (2003). All Rights Reserved. GFD.18 July 2003 This document provides information about the UNICORE security model. It summarizes the current architecture of the UNICORE PKI, describes the certificate generation process and the range of application of certificates within UNICORE. A key feature of the UNICORE security model is job authentication and secure transmission of data. The security model supports both job signing and data encryption, which protects remote users against data theft and data manipulation. It also offers the HPC centers a high level of assurance against illegal usage as well as jobs containing malicious code. The focus of this document is on the UNICORE Public Key Infrastructure (PKI). It outlines the hierarchy of Certifying Authorities (CA) and Registration Authorities (RA) and describes the different kinds of certificates.
Linking Authenticating and Authorising Infrastructures in the UK NGI (SARoNGS)
The UK NGS aims to provide simple trusted access to digital services for the UK's research community, in particular but not limited to Grid and Cloud provision. To achieve this we have to satisfy conditions laid down by three types of entities: individuals, resources, and the identification and attribute authorities who vouch for them. We have to set the bar high enough to satisfy resource owners, low enough to let most legitimate users in and yet also satisfy legal requirements. This makes it difficult if not impossible to fit one access mechanism to all stakeholders. SARoNGS was a JISC funded technical project that was developed in the UK to apply a federated access model (The UK Access Management Federation for Education and Research, based upon Shibboleth) to the grid environment. It resulted in a production service supported by the UK NGI to issue grid credentials, obtain Virtual Organisation Membership Service (VOMS) assertions and place them within reach of the user so to provide access these online digital services. We present the details of this service, the ways we joined the loose ends together, the remaining issues and future directions.
2021
The EOSC Architecture Working Group has assigned the AAI Task Force (AAI TF) the task to establish a common global ecosystem for identity and access control infrastructures for the European Open Science Cloud (EOSC). Since the EOSC is part of an international environment of research and education, the principles established by the EOSC AAI subtask must be globally viable. The EOSC AAI TF has produced a set of deliverables: - EOSC AAI First Principles & Requirements - EOSC AAI Baseline Architecture - EOSC AAI Federation participation guidelines (participation policy and technical framework) - EOSC AAI Best Practises
Technical Committee: OASIS Security Services TC Chair(s)
2007
This specification defines an authentication context extension to the SAML 2.0 Authentication Context specification SAMLAC that allows providers to distinguish whether or not the credential by which a principal authenticates to the identity provider is known to be shared amongst a group of users or unique to that user. Two new Authentication Context classes and associated schemas are also introduced to distinguish between these two cases. Readers should be familiar with SAMLAC before reading this document.
An advanced policy based authorisation infrastructure
2009
The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.