1 / 15

PAPI 2 Distributed trust model and AA interoperability

PAPI 2 Distributed trust model and AA interoperability. Elements for the new version. New platforms Convergence to other solutions A distributed trust model. PoA. PoA. PoA. PoA. ?. ?. New Platforms. IIS. Apache. Squid. Other. PAPI library. 302+data. GPoA. PoA. 302+ Hcook.

hayes
Download Presentation

PAPI 2 Distributed trust model and AA interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PAPI 2Distributed trust model and AA interoperability

  2. Elements for the new version • New platforms • Convergence to other solutions • A distributed trust model

  3. PoA PoA PoA PoA ? ? New Platforms IIS Apache Squid Other PAPI library

  4. 302+data GPoA PoA 302+ Hcook A Little Review PAPI AS tokens Authentication Browser Hcook- Lcook GPoA Hcook- LcookPoA

  5. PoA PoA PoA PoA PoA A Little Review University Departments Servers Same policy  Simplifies management • There is one aggregator for all the hierarchy • It is not necessary to notify about new PoAs XChildren have the same policy than their parent • New access control policies are needed

  6. More functionality for the model • More information to control the access • Attributes • Off-line • On-line • Offline solution -> Privacy problem • Online solution -> online element serving the attributes

  7. Attributes Temporary Signed-URLs Authentication data Attributes? Point of Access Signed-URL Encry-cookie Attribute Authority: Aproximation to the Shibboleth model Authentication Server Attr. Auth Web browser Encry-cookies

  8. Attributes Temporary Signed-URLs Authentication data Attributes? Shar Shire R.M. PAPI - Shibboleth models Authentication Server Attr. Auth Signed-URL Web browser PoA Encry-cookies Encry-cookie

  9. Interoperability • Starting to define a interoperability scenarios: PAPI - Shibboleth • Interoperability aspects: • Protocol between SHAR and AA = SAML (syntax and semantics) -> openSAML • PoA should be able to manage Shibboleth user handles and interact with WAYF elements • Trust model

  10. PAPI - Trust model • Two components • Horizontal trust: between ASes and target sites • Vertical trust: between PoAs of a organization • Requirements of the model • Easy to manage • Not centralized • Not TTP (third trust party) • Not dedicated staff to manage it • Avoid revocations

  11. SC3 (Attributes ?) SAA(KC3 (Attributes)) SC4 (Attributes ?) SAA(KC4 (Attributes)) Trust model AS AA1 PoA1 C1: Cert PoA1 AS AA2 PoA2 PoA C1: Cert PoA1 PoA3 AS AA3 C3: SPoA1(Cert PoA3) C2: Cert PoA2 C4: SPoA2(Cert PoA3) Pub keys of AAs

  12. Pub key of PoA2 Pub key of PoA3 Sign request PoA3 Some managment examples: New PoA in the fabric AA1 PoA1 Cert PoA1 PoA2 AA2 Cert PoA2 SPoA1(Cert PoA3) + SPoA2(Cert PoA3) + Pubs of AAs

  13. Pub key of AA Cert of PoA1 Some managment examples: New AA in the fabric AA1 PoA1 Cert of PoA1 PoA2 AA2 Cert of PoA1 PoA3 Pub key of new AA SPoA1(Cert PoA3)

  14. Pub key of PoA1 Pub key of PoA1 Resign needed Sign request Some management examples: New keys in a trusted PoA AA PoA1 Cert PoA1 PoA2 PoA3 SPoA1(Cert PoA3) Pub keys of AAs

  15. Current status • Core library available • Openssl • Libxml • Xmlsec • Implementations running on IIS and Apache • Ready for interoperability tests with Shibboleth • Implementing and evaluating the trust model

More Related