+---------------------------------------------------------------------------------------+ | Publication of Endpoint Security Setup using GLUE 2.0 - Proposal of Specification | +---------------------------------------------------------------------------------------+ Context and Goal ---------------- OGF GLUE 2.0 (GFD.147) specifies that : - Grid clients communicate with grid services through endpoints modeled by the 'Endpoint' class. - This 'Endpoint' class has a 'Capability' multi-valued attribute using value listed in the open 'Capability_t' type. Extension of this 'Capability_t' type would permit the 'Capability' attribute to publish the precise security setup of the endpoint. This document is a proposal of specification for such extension. Targeted PGI requirements ------------------------- 1 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS1 All grid entities (if possible) MUST be described using the GLUE model. If not possible, extensions for the GLUE model are necessary 163 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS2 Each Service MUST publish its properties (Name, Type, Endpoints, ...) and the properties of its Endpoints in conformance with GLUE recommendations 4 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS3 Each service MUST publish information regarding its service properties 11 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA2 Each Service MUST publish the Authentication and Authorization methods accepted by its Endpoints in conformance with GLUE recommendations 17 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA3.5 For Client authentication, Services must accept all following authentication methods: Full X509, X509 Proxy 28 http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA8 Service has to act on behalf of another identity. Services often need to delegate those Credentials to other Services. Therefore, Services MUST offer interoperable methods for Credential delegation. Proposed new possible values for 'Capability_t' Semantics Carried credentials ----------------------------------------------- --------- ------------------- security.trustedCA.IGTF Server uses IGTF list of certificate authorities security.trustedCA.InCommon Server uses InCommon as certificate authority security.authentication.ssl Server has generic SSL/TLS/X509 capabilities for authentication security.authentication.ssl.server Server is able to provide its X509 credentials to clients security.authentication.ssl.server.certificate Server is able to provide public part of its full X509 certificate Subject (DN) and Issuer security.authentication.ssl.client Server is able to authenticate client with X509 security.authentication.ssl.client.certificate Client may provide public part of full X509 certificate Subject (DN) and Issuer security.authentication.ssl.client.proxy.GSI Client may provide public part of old-style Globus proxy Subject (DN) and Issuer security.authentication.ssl.client.proxy.RFC3820 Client may provide public part of RFC-3820-compliant X509 proxy Subject (DN) and Issuer security.authentication.ws-security Server has WS-Security capabilities for authentication ??? security.authentication.ws-trust Server has WS-Trust capabilities for authentication ??? security.authentication.ws-i-bsp Server has 'WS-I Basic Security Profile' capabilities for Authn ??? security.authorization.ssl Server has generic SSL/TLS/X509 capabilities for authorization security.authorization.ssl.client Server is able to authorize client with X509 Subject (DN) and Issuer security.authorization.ssl.client.X509.must Client MUST provide X509 certificate or RFC-3820-compliant X509 proxy Subject (DN) and Issuer security.authorization.ssl.client.certificate Client may provide public part of full X509 certificate Subject (DN) and Issuer security.authorization.ssl.client.proxy.GSI Client may provide public part of old-style Globus proxy Subject (DN) and Issuer security.authorization.ssl.client.proxy.RFC3820 Client may provide public part of RFC-3820-compliant X509 proxy Subject (DN) and Issuer security.authorization.ssl.client.proxy.voms Client may provide VOMS attributes inside the proxy Subject (DN), Issuer, VOMS attributes security.authorization.ssl.client.proxy.voms.must Client MUST provide VOMS attributes inside the proxy Subject (DN), Issuer, VOMS attributes security.authorization.ssl.client.delegation Client may require delegation security.authorization.ssl.client.delegation.GSI Client may require delegation using old-style Globus proxy security.authorization.ssl.client.delegation.X509 Client may require delegation using X509 certificate or RFC-3820-compliant X509 proxy security.authorization.ssl.client.delegation.must Client MUST require delegation security.authorization.saml Client may provide SAML assertions SAML assertions security.authorization.saml.must Client MUST provide SAML assertions SAML assertions security.authorization.saml.voms Client may provide VOMS attributes as SAML assertions SAML assertions, VOMS attributes security.authorization.saml.voms.must Client MUST provide VOMS attributes as SAML assertions SAML assertions, VOMS attributes security.authorization.ws-security Server has WS-Security capabilities for authorization ??? security.authorization.ws-trust Server has WS-Trust capabilities for authorization ??? security.authorization.ws-i-bsp Server has 'WS-I Basic Security Profile' capabilities for Authz ??? +--------------------------------------------+ | Non-normative examples of Security Setup | +--------------------------------------------+ These are guesses which have to be validated. gLite WMS --------- security.trustedCA.IGTF security.authentication.ssl.server.certificate security.authentication.ssl.client.proxy.GSI security.authorization.ssl.client.proxy.GSI security.authorization.ssl.client.proxy.voms.must security.authorization.ssl.client.delegation.GSI security.authorization.ssl.client.delegation.must Unicore Execution Service ------------------------- security.trustedCA.IGTF security.authentication.ssl.server.certificate security.authentication.ssl.client.certificate security.authentication.ssl.client.proxy.RFC3820 security.authorization.ssl.client.certificate security.authorization.ssl.client.proxy.RFC3820 security.authorization.saml security.authorization.saml.voms A-REX ----- security.trustedCA.IGTF security.authentication.ssl.server.certificate security.authentication.ssl.client.certificate security.authentication.ssl.client.proxy.GSI security.authentication.ssl.client.proxy.RFC3820 security.authorization.ssl.client.certificate security.authorization.ssl.client.proxy.GSI security.authorization.ssl.client.proxy.RFC3820 security.authorization.ssl.client.proxy.voms security.authorization.ssl.client.delegation.GSI security.authorization.ssl.client.delegation.X509 Genesis II ---------- security.trustedCA.InCommon security.authentication.ws-security security.authentication.ws-trust security.authentication.ws-i-bsp security.authorization.saml security.authorization.ws-security security.authorization.ws-trust security.authorization.ws-i-bsp