Embed Size (px)
Citation preview
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
Short Lived Credential Service Short Lived Credential Service Implementation Based on Implementation Based on
National AAINational AAI
Emir Imamagic, Dobrisa Dobrenic, Miroslav Milinovic
SRCE
Miroslav Popovic
FER
Terena Networking Conference 2008
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
OverviewOverview
Motivation Short Lived Certificate Service AAI@EduHr OpenCA SLCS architecture
OpenCA extensions RA application
CRO NGI Future work Conclusions
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
MotivationMotivation
X509 certificates issues for end-users identity validation process heavy maintenance user’s mobility
Many organizations and countries have established their own AAI
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
Short Lived Credential ServiceShort Lived Credential Service
Short-term certificate based on existing Identity Management System automatic identity validation lifetime – 1 million seconds (approx. 11 days)
International Grid Trust Federation (IGTF) profile
Bridge between AAIs and X509 certificates
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
AAI@EduHRAAI@EduHR
Croatian national academic AAI federation Distributed LDAP directories Several authentication mechanisms
LDAP RADIUS web service (HTTPS/SOAP)
Federation Web Service (FWS) web service interface
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
OpenCAOpenCA
Certificate Authority (CA) framework Open source Features
web interface database backend Hardware Security Module (HSM) support
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
SLCS ArchitectureSLCS Architecture
OpenCACA
OpenCA Public
AAI@EduHrFWS
RA Application
WS
User
Register
Get certificate
AuthN&
Get attributes
AuthZ
Issuecertificate
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
OpenCA ExtensionsOpenCA Extensions
Public component extensions FWS-based authentication certificate request generation (FWS & RA Application) interaction with CA component extension
CA component extension automatic certificate issuing SSL-based communication with Public
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
RA ApplicationRA Application
Registration Authority (RA) performs users authorization
Web interface user request submission RA management interfaces
Web service interface integration with public component
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
CRO NGICRO NGI
Croatian National Grid Infrastructure coordinated by SRCE permanent part in state budget
Available for research and academia
Grid middleware Globus Toolkit 2 & 4 based on X509 certificates
Use case for SLCS
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
Future WorkFuture Work
IGTF accreditation Short Lived Credential Services Authentication profile
Command line interface enable retrieval from grid UIs
MICS implementation long-lived certificates relevant for long running applications
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
ConclusionsConclusions
X509 certificates heavyweight for average users
Organizational & national AAIs handle large number of users users are familiar with them
SLCS important for wide adoption of X509-based infrastructures
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI
Thank You!Thank You!
Questions?Questions?
