Open Grid Forum
User:
Password:
Register
Forgot Password
Select by area:

Select by group:
 ABOUT OGF  RESOURCE CENTER  OGF EVENTS  DOCUMENTS  AREAS/GROUPS 
 MEMBERS  NEWS  STANDARDS  CONTACT US  SITE MAP  REDMINE 
OGF Areas and Groups

Security

 
 
Levels of Authentication Assurance Research Group (LOA-RG)
Group Information
Group Type: Research Group
Group Chair(s): Ning Zhang, Yoshio Tanaka
 
Group Description
The LoA Research Group (LoA-RG) is aimed at investigating use case scenarios in the e-Science/Grid contexts, and identifying gaps in applying existing LoA definitions to such contexts.

Robust authentication and authorisation services are keys to the deployment of a secure virtual organisational (VO) environment where students, researchers, staff with different roles and responsibilities from different institutions are expected to share resources distributed in the Internet environment with components administered locally and independently. Authentication is the first line of defence in any secure systems, and it is particularly important in VO environments playing a critical role in the provision of a number of essential security services including authorisation, auditing and accounting.
 
Group Focus and Scope
The focus of the LoA-RG is defined by the following two proposed documents.
Other standards bodies, such as NIST and ETSI, define LoA criteria and specific LoA reference standards, but do not concern themselves with the grid-specific use cases. In particular, the impact of indirect transmission of authentication assertions (through services or user proxies) is not dealt with there. This group will clarify the gaps that separate current LoA definitions and criteria from the grid use cases, and how to address these gaps. In detail,
The LoA-RG tackles the issues related to defining the criteria for assurance assessment, the identification of gaps between the criteria defined by other standards bodies (in particular NIST, ETSI and EU standards) and the relevant grid use cases for (identity) assertions.
The LoA-RG will NOT pursue the conveyance of LoA assertions in authentication protocols, or the technical consumption of such assertions by software. These topics are within the remit of the OGSA-AuthN-WG (proposed)
The LoA-RG will NOT pursue the definition of identity levels and policies, or the implementation thereof. These topics are within the remit of the grid participants, their management, regulatory bodies and coordinating groups (CAOPS-WG, IGTF, inCommon, etc).
The LoA-RG will NOT define any standards or recommendations under this charter.

Background:
There are various methods that can be used to achieve entity identification and authentication, and different methods provide different Levels of authentication Assurance (LoA), or quality of authentication. A LoA reflects the degree of confidence in identifying the entity to which the credential was issued, and the degree of confidence that the entity using the credential is indeed the entity that the credential was issued to. All the processes and steps associated to an authentication instance influence LoA. These include the processes of identity vetting and credential issuance, during which an entity is registered with a RA (Registration Authority) and is issued with a credential that binds the entitys identity to an authentication token issued by a CSP (Credential Service Provider) associated to the RA, the type of authentication tokens (e.g. a cryptographic key, a username/password pair, an IP address, or a proxy credential) used for proving the identity, how the tokens are stored (on a smart card, inside a web browser, or in an on-line repository), and the strength of the authentication protocols/methods used by the underlying authentication service. Furthermore, a LoA is also influenced by the manner in which a claimed identity is bound to an authentication credential, the life cycle management of the credential, whether the CSP has sufficient operating procedures, processes and policy frameworks to establish the required level of trust, and the extent to which an authentication event is coupled to an authorisation event.
As more and more diverse resources are being incorporated into the Internet-based VO environments, and as more and more institutions join to form various federations, service providers (e.g. government agencies, financial and higher educational institutions, commercial organisations, health care providers, and third party data providers) may manage resources (including data, systems and services) with varying levels of sensitivity and experience different levels of risks. The current certificate-based "one-method-fits-all" authentication method is no longer adequate for the diverse VO environments. Ideally, resources with a higher sensitivity level and/or managed in an environment with a higher risk level are better served by an authentication solution with a higher level of assurance, and vice versa. With this risk-based authentication approach, an SP may specify a minimum LoA depending upon the resource sensitivity and/or risk levels, and require that the access is granted only if the LoA derived from an authentication instance satisfies the minimum LoA.
Earlier efforts in defining LoA were made by the UK/US governments in their e-Government Initiatives, and as a result, the US Government and NIST (US National Institute of Standard and Technology) produced a set of operational and technical guidelines on e-Authentication LoA in the context of e-Government Federation [M-04-04, NIST06] (hereafter referred to as the e-Authentication Federation). However, these guidelines are only applicable to the use case scenario where remote human users are authenticated to IT systems; it does not cover dimensions or factors as introduced by VO/Grid contexts.
 
Group Links
 
 
Levels of authentication Assurance Research Group (LOA-RG)
Group Information
Group Type: Working Group
 
Group Description
The LoA Research Group (LoA-RG) is aimed at investigating use case scenarios in the e-Science/Grid contexts, and identifying gaps in applying existing LoA definitions to such contexts.

Robust authentication and authorisation services are keys to the deployment of a secure virtual organisational (VO) environment where students, researchers, staff with different roles and responsibilities from different institutions are expected to share resources distributed in the Internet environment with components administered locally and independently. Authentication is the first line of defence in any secure systems, and it is particularly important in VO environments playing a critical role in the provision of a number of essential security services including authorisation, auditing and accounting.

 
Group Focus and Scope
The focus of the LoA-RG is defined by the following two proposed documents.
Other standards bodies, such as NIST and ETSI, define LoA criteria and specific LoA reference standards, but do not concern themselves with the grid-specific use cases. In particular, the impact of indirect transmission of authentication assertions (through services or user proxies) is not dealt with there. This group will clarify the gaps that separate current LoA definitions and criteria from the grid use cases, and how to address these gaps. In detail,
� The LoA-RG tackles the issues related to defining the criteria for assurance assessment, the identification of gaps between the criteria defined by other standards bodies (in particular NIST, ETSI and EU standards) and the relevant grid use cases for (identity) assertions.
� The LoA-RG will NOT pursue the conveyance of LoA assertions in authentication protocols, or the technical consumption of such assertions by software. These topics are within the remit of the OGSA-AuthN-WG (proposed)
� The LoA-RG will NOT pursue the definition of identity levels and policies, or the implementation thereof. These topics are within the remit of the grid participants, their management, regulatory bodies and coordinating groups (CAOPS-WG, IGTF, inCommon, etc).
� The LoA-RG will NOT define any standards or recommendations under this charter.

Background:
There are various methods that can be used to achieve entity identification and authentication, and different methods provide different Levels of authentication Assurance (LoA), or quality of authentication. A LoA reflects the degree of confidence in identifying the entity to which the credential was issued, and the degree of confidence that the entity using the credential is indeed the entity that the credential was issued to. All the processes and steps associated to an authentication instance influence LoA. These include the processes of identity vetting and credential issuance, during which an entity is registered with a RA (Registration Authority) and is issued with a credential that binds the entity�s identity to an authentication token issued by a CSP (Credential Service Provider) associated to the RA, the type of authentication tokens (e.g. a cryptographic key, a username/password pair, an IP address, or a proxy credential) used for proving the identity, how the tokens are stored (on a smart card, inside a web browser, or in an on-line repository), and the strength of the authentication protocols/methods used by the underlying authentication service. Furthermore, a LoA is also influenced by the manner in which a claimed identity is bound to an authentication credential, the life cycle management of the credential, whether the CSP has sufficient operating procedures, processes and policy frameworks to establish the required level of trust, and the extent to which an authentication event is coupled to an authorisation event.
As more and more diverse resources are being incorporated into the Internet-based VO environments, and as more and more institutions join to form various federations, service providers (e.g. government agencies, financial and higher educational institutions, commercial organisations, health care providers, and third party data providers) may manage resources (including data, systems and services) with varying levels of sensitivity and experience different levels of risks. The current certificate-based "one-method-fits-all" authentication method is no longer adequate for the diverse VO environments. Ideally, resources with a higher sensitivity level and/or managed in an environment with a higher risk level are better served by an authentication solution with a higher level of assurance, and vice versa. With this risk-based authentication approach, an SP may specify a minimum LoA depending upon the resource sensitivity and/or risk levels, and require that the access is granted only if the LoA derived from an authentication instance satisfies the minimum LoA.
Earlier efforts in defining LoA were made by the UK/US governments in their e-Government Initiatives, and as a result, the US Government and NIST (US National Institute of Standard and Technology) produced a set of operational and technical guidelines on e-Authentication LoA in the context of e-Government Federation [M-04-04, NIST06] (hereafter referred to as the e-Authentication Federation). However, these guidelines are only applicable to the use case scenario where remote human users are authenticated to IT systems; it does not cover dimensions or factors as introduced by VO/Grid contexts.
 
Group Links

> login   RSS RSS Contact Webmaster

OGFSM, Open Grid ForumSM, Grid ForumSM, and the OGF Logo are trademarks of OGF