Globus Toolkit Security Standards Activities
Security standards specific to OGSA can be found on the OGSA Security web page.
The Globus group led the effort to design and standardize a certificate profile for Proxy Certificates, based on X.509 PKI certificates as defined in RFC 3820, for use in the Internet. The term Proxy Certificate is used to describe a certificate that is derived from, and signed by, a normal X.509 Public Key End Entity Certificate or by another Impersonation Certificate for the purpose of providing impersonation within a PKI based authentication system.
Basing this work off of prior experience with proxy certificates in the current GSI code, we drafted a document improving on our current implementation. Work on this document started in the GSI working group of the Global Grid Forum and continued in the PKIX working group of the IETF.
The highlights of this document are:
- A definition for a proxy certificate, a temporary binding of a new key pair to an existing user identity. Use of proxy certificates allow an entity to temporary delegate their rights to remote processes or resources on the Internet.
- A method for restricted rights in the proxy certificate. We define a method of carrying of an opaque policy which can be used to by relying parties for authorization decisions.
- A method of tracing delegations back to the original issuing entity.
The latest version of this document is at http://www.ietf.org/rfc/rfc3820.txt?number=3820.
RFC 2743 defines the Generic Security Service Application Program Interface (GSS-API) Version 2, Update 1 [3, 4], as an API for portably adding authentication, delegation, and message protection to distributed computing applications.
In 1997, the Globus Project (www.globus.org) introduced an implementation of GSS-API called the Grid Security Infrastructure (GSI). This implementation uses public key protocols for use in programming Grid applications  -- that is, applications that run in dynamic, inter-domain distributed computing environments. Based on this implementation, a great deal of experience has been gained on the use of GSS-API in numerous real applications and middleware toolkits. While this experience has been overwhelmingly positive, it has also led to an understanding of some deficiencies in the existing GSS-API.
This document defines extensions to the GSS-API to address these deficiencies. These extensions are:
- Credential export and import: Processes need to be able, in a controlled
and standard fashion, to export credentials to and import credentials from
other processes. This includes processes that are not written to the GSS-API.
- Delegation at any time: GSS-API only allows for delegation during
the initial context establishment, via an argument to gss_init_sec_context.
This document extends GSS-API to also allow for delegation at any time after
initial context establishment.
- Credential extensions handling: When delegating a credential, it is often useful to attach additional data, such as restriction policies, to that delegated credential which restricts its usage. This document defines extensions to the GSS-API to allow such extensions to be specified during delegation and to be extracted from a security context after authentication. However, the approach is neutral to the actual attached data.
This document captures the extensions as implemented in the Globus Toolkit. Work on refining these extensions continues in the IETF Kitten WG. We will monitor this work and consider updating our implementation when it is completed.
The latest version of this document is at http://www.ggf.org/documents/GFD.24.pdf.
The OGSA Authorization working group is defining an Open Grid Services Architecture (OGSA) authorization service based on the use of the security assertion markup language (SAML) as a format for requesting and expressing authorization assertions. Defining standard formats for these messages allows for pluggability of different authorization systems using SAML.
For up to date information, go to: https://forge.gridforum.org/projects/ogsa-authz/
The latest documents about SAML authorization in particular are available at: