150 likes | 342 Views
PAPI 2 Distributed trust model and AA interoperability. Elements for the new version. New platforms Convergence to other solutions A distributed trust model. PoA. PoA. PoA. PoA. ?. ?. New Platforms. IIS. Apache. Squid. Other. PAPI library. 302+data. GPoA. PoA. 302+ Hcook.
E N D
Elements for the new version • New platforms • Convergence to other solutions • A distributed trust model
PoA PoA PoA PoA ? ? New Platforms IIS Apache Squid Other PAPI library
302+data GPoA PoA 302+ Hcook A Little Review PAPI AS tokens Authentication Browser Hcook- Lcook GPoA Hcook- LcookPoA
PoA PoA PoA PoA PoA A Little Review University Departments Servers Same policy Simplifies management • There is one aggregator for all the hierarchy • It is not necessary to notify about new PoAs XChildren have the same policy than their parent • New access control policies are needed
More functionality for the model • More information to control the access • Attributes • Off-line • On-line • Offline solution -> Privacy problem • Online solution -> online element serving the attributes
Attributes Temporary Signed-URLs Authentication data Attributes? Point of Access Signed-URL Encry-cookie Attribute Authority: Aproximation to the Shibboleth model Authentication Server Attr. Auth Web browser Encry-cookies
Attributes Temporary Signed-URLs Authentication data Attributes? Shar Shire R.M. PAPI - Shibboleth models Authentication Server Attr. Auth Signed-URL Web browser PoA Encry-cookies Encry-cookie
Interoperability • Starting to define a interoperability scenarios: PAPI - Shibboleth • Interoperability aspects: • Protocol between SHAR and AA = SAML (syntax and semantics) -> openSAML • PoA should be able to manage Shibboleth user handles and interact with WAYF elements • Trust model
PAPI - Trust model • Two components • Horizontal trust: between ASes and target sites • Vertical trust: between PoAs of a organization • Requirements of the model • Easy to manage • Not centralized • Not TTP (third trust party) • Not dedicated staff to manage it • Avoid revocations
SC3 (Attributes ?) SAA(KC3 (Attributes)) SC4 (Attributes ?) SAA(KC4 (Attributes)) Trust model AS AA1 PoA1 C1: Cert PoA1 AS AA2 PoA2 PoA C1: Cert PoA1 PoA3 AS AA3 C3: SPoA1(Cert PoA3) C2: Cert PoA2 C4: SPoA2(Cert PoA3) Pub keys of AAs
Pub key of PoA2 Pub key of PoA3 Sign request PoA3 Some managment examples: New PoA in the fabric AA1 PoA1 Cert PoA1 PoA2 AA2 Cert PoA2 SPoA1(Cert PoA3) + SPoA2(Cert PoA3) + Pubs of AAs
Pub key of AA Cert of PoA1 Some managment examples: New AA in the fabric AA1 PoA1 Cert of PoA1 PoA2 AA2 Cert of PoA1 PoA3 Pub key of new AA SPoA1(Cert PoA3)
Pub key of PoA1 Pub key of PoA1 Resign needed Sign request Some management examples: New keys in a trusted PoA AA PoA1 Cert PoA1 PoA2 PoA3 SPoA1(Cert PoA3) Pub keys of AAs
Current status • Core library available • Openssl • Libxml • Xmlsec • Implementations running on IIS and Apache • Ready for interoperability tests with Shibboleth • Implementing and evaluating the trust model