Date post: | 30-Jan-2016 |
Category: |
Documents |
Upload: | erin-wilkinson |
View: | 213 times |
Download: | 0 times |
TAC - Poznan, 6 June 2005
Building trustwith a
European style
Diego R. LopezRedIRIS
TAC - Poznan, 6 June 2005
The European way
• (Too) many states, languages, national priorities/laws/prides/…• Different systems and/or profiles of existing systems• In different degrees of maturity and deployment
• Look for agreements, even when not fully satisfactory• Several initiatives to fill the gaps
• eduroam: already and successfully running!• GN2-JRA5: defining the architecture of an iter-federation AAI• TF-EMC2: refining AA-RR and initiating its schema effort, SCHAC• TACAR and SCS: new ways of approaching PKIs• The Cotswolds Group
• Importing whatever is interesting from overseas• Basic standards as Shibboleth and eduPerson
• And always with a sense of style and history• Your humble speaker and many colleagues
TAC - Poznan, 6 June 2005
eduroam
• The inter-national roaming network access service• Based on a hierarchy of RADIUS servers
• Institutional servers connect to root NREN servers• NREN servers are aggregated at the eduroam central server
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
StudentVLAN
GuestVLAN
EmployeeVLAN
TAC - Poznan, 6 June 2005
eduroam: Reaching further
TAC - Poznan, 6 June 2005
GÉANT2 AAI
• It is intended to be one of the basic services of the coming pan-European academic network• Common to all services provided by and based on the network• From network access, bandwidth management, etc.• To application access (including Grids)
• Not a substitute of existing infrastructures• Nation- or community-based• A superstructure connecting them• Based on (con-)federating the federations
• But able to build new federations where they do not exist• And directly providing AuthN/AuthZ services access through
specific interfaces
TAC - Poznan, 6 June 2005
GÉANT2 AAI components
• A local AAI Instance at each federation/domain/realm• Providing the interfaces to the federations or services in it
• Common Services• Home Location Service• Others possible: certificate verification, common diagnostics,…
• Connectors• Common for a federation (the Local Federation Connector)• Local Connectors for resources allowed to interact directly
• Service Access Points• In charge of adapt AAI interfaces to the (isolated) services AA
queries/responses• Interfaces and operations
• WS and SAML based
TAC - Poznan, 6 June 2005
GEANT-2 AAI general diagram
TAC - Poznan, 6 June 2005
TF-EMC2 and AA-RR
• Able to impersonate general AAI components• Attribute sources • Attribute requesters • Authorization engines
• Driven by profiles• Entity and protocol aspects• Attributes and values
• Protocol agnostic• A rule engine (defined in the profile) connect to protocol adaptors
• Applications• GÉANT2 AAI Connectors• Diagnostic tool• Interoperability assessment
TAC - Poznan, 6 June 2005
TF-EMC2 and SCHAC
• An extension to the eduPerson schema• Taking into account European idiosyncrasy
• Based on a collection of national extensions so far• Croatia (hrEdu)• Finland (funetEdu)• France (supAnn)• Norway/Sweden (norEdu)• Poland (plEdu)• Spain (iris)• Switzerland (swissEdu)
• Common requirements have been quickly identified• Personal (unique) identifiers• Other personal attributes (citizenship, languages,…)• Privacy definition and entitlements
TAC - Poznan, 6 June 2005
SCHAC current status
• Initial proposal being discussed• Release Candidate 1 for the individual attributes has been
presented at TF-EMC2 meeting on Sunday• Protocol neutral
• LDAP• XML
• One of its main drivers is ECTS• The European Credit Transfer (and Accumulation) System• Enable students to complete their curricula across Europe• It has made schema harmonization key to IT practitioners in the
European universities
• Close cooperation between TERENA/TF-EMC2 and EUNIS
TAC - Poznan, 6 June 2005
TACAR
• The TERENA Academic CA Repository• A PKI-based web of trust among the European academic and
research community (and beyond!)• Built and maintained by out-of-band methods• Without the technical and administrative burdens of a common
root CA or a bridge• Adopted as trust repository by the EUGridPMA• Endorsed by the eIRG
• Based on two basic principles• Keep it simple• Let it happen
• 22 certificates from NRENs and Grid communities• Exploring further applications
• From on-line verification to simpler direct trust links among PKIs
TAC - Poznan, 6 June 2005
TACAR: What does it offer
• A single authoritative source for certificates and policies• Able to simplify maintenance procedures
• Mechanisms to extend (and strengthen) trust links• The Grid communities• Other geographical areas
• A model to experiment with• Lighter than a common root, simpler than a bridge• Distribution of certificate packages• Peer-review based models (a-la-EUGridPMA)
• Qualified or not• PKI operation servers• Simplified trust exchange• The brand new 1SCP proposal
TAC - Poznan, 6 June 2005
SCS: A novel certificate service
• Enable the use of server certificates• Allow the use of encrypted channels whenever necessary• Avoid the pop-up problem • And the cost associated with its avoidance
• The proposal• A service outsourced to a commercial provider that takes care of
the root installation procedures in major browsers• Provided in adequate technical conditions to NRENs• And in reasonable economic terms
• As flat as possible• Coordinated through TERENA
• Current status• Agreement signed by most participant NRENs• (Promising) conversations with several providers
TAC - Poznan, 6 June 2005
The Cotswolds Group initiative
• Hosted by JISC (UK)
• Representatives invited from countries which have committed
funding to a comprehensive national programme
• Attended by representatives from Australia, Finland,
Netherlands, Spain, Switzerland, UK, US and CERN
• Aims:• to establish framework for further international collaboration of AA
systems, leading
• to interoperable user mechanisms, and
• to help other countries develop similar large-scale systems
TAC - Poznan, 6 June 2005
The Cotswolds Group conclusions
• Global inter-working of local/national schemes is possible
• The network peering model is relevant to extending coverage
• Set of criteria needed to judge whether to accept a candidate federation
• Production of a cookbook to describe the criteria and the selection process
• A facilitator (Secretary) of the activities of the group
• Dissemination of the results on a broad front