Open Grid Forum

View
 Active Groups
 Completed Groups
 Hibernating Groups

 ABOUT OGF  RESOURCE CENTER  OGF EVENTS  DOCUMENTS  AREAS/GROUPS 
 MEMBERS  NEWS  STANDARDS  CONTACT US  SITE MAP  REDMINE 
OGF Active Groups

Security


Area Director: Jens G Jensen

The Security Area is concerned with technical and operational security issues in Grid environments, including authentication, authorization, privacy, confidentiality, auditing, firewalls, trust establishment, policy establishment, and dynamics, scalability and management aspects of all of the above.
 
 
Certificate Authority Operations WG (CAOPS-WG)
Group Information
Group Type: Working Group
Group Secretary(s): Jim Basney
 
Group Description
The purpose of the Certificate Authority Operations (CAOPS) Working Group is to develop operational procedures and guidelines that facilitate the use of X.509 and other technologies for cross grid Authentication.
 
Group Links
 
 
FedSec Community Group (FEDSEC-CG)
Group Information
Group Type: Working Group
 
Group Description
Promote the use of existing infrastructures for authentication and authorisation; promote sharing experiences and best practices between projects.
 
Group Links
 
 
Firewall Issues RG (FI-RG)
Group Information
Group Type: Research Group
 
Group Description
The research group will first document the type of issues that Grid applications experience when the need arises to control data transport policy enforcement devices. Once the types of issues have been identified, the group will relate these issues to specific categories of enforcement devices.
 
Group Links
 
 
IDEL (IDEL-WG)
Group Information
Group Type: Working Group
 
Group Links
 
 
Levels of authentication Assurance Research Group (LOA-RG)
Group Information
Group Type: Working Group
 
Group Description
The LoA Research Group (LoA-RG) is aimed at investigating use case scenarios in the e-Science/Grid contexts, and identifying gaps in applying existing LoA definitions to such contexts.

Robust authentication and authorisation services are keys to the deployment of a secure virtual organisational (VO) environment where students, researchers, staff with different roles and responsibilities from different institutions are expected to share resources distributed in the Internet environment with components administered locally and independently. Authentication is the first line of defence in any secure systems, and it is particularly important in VO environments playing a critical role in the provision of a number of essential security services including authorisation, auditing and accounting.

 
Group Focus and Scope
The focus of the LoA-RG is defined by the following two proposed documents.
Other standards bodies, such as NIST and ETSI, define LoA criteria and specific LoA reference standards, but do not concern themselves with the grid-specific use cases. In particular, the impact of indirect transmission of authentication assertions (through services or user proxies) is not dealt with there. This group will clarify the gaps that separate current LoA definitions and criteria from the grid use cases, and how to address these gaps. In detail,
� The LoA-RG tackles the issues related to defining the criteria for assurance assessment, the identification of gaps between the criteria defined by other standards bodies (in particular NIST, ETSI and EU standards) and the relevant grid use cases for (identity) assertions.
� The LoA-RG will NOT pursue the conveyance of LoA assertions in authentication protocols, or the technical consumption of such assertions by software. These topics are within the remit of the OGSA-AuthN-WG (proposed)
� The LoA-RG will NOT pursue the definition of identity levels and policies, or the implementation thereof. These topics are within the remit of the grid participants, their management, regulatory bodies and coordinating groups (CAOPS-WG, IGTF, inCommon, etc).
� The LoA-RG will NOT define any standards or recommendations under this charter.

Background:
There are various methods that can be used to achieve entity identification and authentication, and different methods provide different Levels of authentication Assurance (LoA), or quality of authentication. A LoA reflects the degree of confidence in identifying the entity to which the credential was issued, and the degree of confidence that the entity using the credential is indeed the entity that the credential was issued to. All the processes and steps associated to an authentication instance influence LoA. These include the processes of identity vetting and credential issuance, during which an entity is registered with a RA (Registration Authority) and is issued with a credential that binds the entity�s identity to an authentication token issued by a CSP (Credential Service Provider) associated to the RA, the type of authentication tokens (e.g. a cryptographic key, a username/password pair, an IP address, or a proxy credential) used for proving the identity, how the tokens are stored (on a smart card, inside a web browser, or in an on-line repository), and the strength of the authentication protocols/methods used by the underlying authentication service. Furthermore, a LoA is also influenced by the manner in which a claimed identity is bound to an authentication credential, the life cycle management of the credential, whether the CSP has sufficient operating procedures, processes and policy frameworks to establish the required level of trust, and the extent to which an authentication event is coupled to an authorisation event.
As more and more diverse resources are being incorporated into the Internet-based VO environments, and as more and more institutions join to form various federations, service providers (e.g. government agencies, financial and higher educational institutions, commercial organisations, health care providers, and third party data providers) may manage resources (including data, systems and services) with varying levels of sensitivity and experience different levels of risks. The current certificate-based "one-method-fits-all" authentication method is no longer adequate for the diverse VO environments. Ideally, resources with a higher sensitivity level and/or managed in an environment with a higher risk level are better served by an authentication solution with a higher level of assurance, and vice versa. With this risk-based authentication approach, an SP may specify a minimum LoA depending upon the resource sensitivity and/or risk levels, and require that the access is granted only if the LoA derived from an authentication instance satisfies the minimum LoA.
Earlier efforts in defining LoA were made by the UK/US governments in their e-Government Initiatives, and as a result, the US Government and NIST (US National Institute of Standard and Technology) produced a set of operational and technical guidelines on e-Authentication LoA in the context of e-Government Federation [M-04-04, NIST06] (hereafter referred to as the e-Authentication Federation). However, these guidelines are only applicable to the use case scenario where remote human users are authenticated to IT systems; it does not cover dimensions or factors as introduced by VO/Grid contexts.
 
Group Links
 
 
OGSA Authorization WG (OGSA-AUTHZ-WG)
Group Information
Group Type: Working Group
 
Group Description
The objective of the OGSA Authorization WG is to define the specifications needed to allow for basic interoperability and plug-ability of authorization components in the OGSA framework.
 
Group Links
 
 
VOMS-PROC WG (VOMS-PROC-WG)
Group Information
Group Type: Working Group
 
Group Description
The VOMS-PROC WG will provide recommendations for the interpretations of VOMS Attribute Certificates in chained identity credentials.
In particular, the working group will provide guidance on (i) determining the effective attribute set for collated VOMS attributes as presented in a hierarchical chain of identity credentials, (ii) the order in which attributes are to be interpreted, and (iii) how to determine the set of valid attributes in case one out of a bag of VOMS ACs at the same level has expired. Secondly, the WG will review the validation guidance given in GFD.182 and consider any necessary revisions to section 4.4 therein, in view of the proposed recommendations. Thirdly, the WG will document the current understanding of how validation parsing rules should be applied for collated VOMS attributes when used in a SAML environment
 
Group Links

> login   RSS RSS Contact Webmaster

OGFSM, Open Grid ForumSM, Grid ForumSM, and the OGF Logo are trademarks of OGF