Comparison of different security infrastructure
implementations
Olle Mulmo, KTH
Before wetake the next step forward…
Stop and take a breath
Look at what people have done so far
Try to compare
Be ignorant to technology details
State of the world
3rd party3rd party
OrgOrg OrgOrgOrgOrgRARA
gwgw gwgwgwgw
Analyzed Characteristics
Underlying Assumptions Usage scenario Lifetime & scale of operations
Setup Trust anchors Commitments
Analyzed Characteristics (cont)
Registration Bootstrap for a resource provider Bootstrap for a user
Security concerns Local control Privacy Audit Acceptance
Analyzed Characteristics (cont)
Dynamics Setup & Registration “lightweight”? Adding/removing a user Adding/removing a member org Handling Lusers and Loosers
Scenarios
Unique ID & VO affiliation
Federation / gateway model
VO control + sandboxing
Unique ID & VO affiliation (#1)
OrgOrg OrgOrgOrgOrg
3rd party3rd party
VO VO
gwgw gwgwgwgw
RARA
trust
VO
msg
Unique ID & VO affiliation (#2)
OrgOrg OrgOrgOrgOrg
3rd party3rd party
VO VO
gwgw gwgwgwgw
RARA
trust
VO
msg
Unique ID & VO affiliation (#3)
OrgOrg OrgOrgOrgOrg
3rd party3rd party
VO VO
gwgw gwgwgwgw
RARA
trust
VO
msg
Unique ID & VO affiliation
Different trust sources for AuthN and AuthZ Local control Allows for widely different levels of
operational trust
Federation / gateway model (#1)
3rd party3rd party
OrgOrg OrgOrgOrgOrgRARA
gwgw gwgwgwgw
trust
VO
msg
??
Federation / gateway model (#2)
3rd party3rd party
OrgOrg OrgOrgOrgOrgRARA
gwgw gwgwgwgw
trust
VO
msg
Federation / gateway model
Organizational based trust Assumptions on infrastructure Higher demands on operational trust
VO control + sandboxing
3rd party3rd party
OrgOrg OrgOrgOrgOrgRARA
VO
trust
VO
msg
VO control + sandboxing
3rd party3rd party
OrgOrg OrgOrgOrgOrgRARA
VO
trust
VO
msg
VO control + sandboxing
VO runs the show Prepackaged, domain specific Little or no local control Trust by reputation
Comparisons
I have tried my best to be impartial and objective “Is this hard to do or not?”
Over-simplified conclusions “difficult” vs “easy”
Comparisons
Underlying assumptions UID+local enforcement Federation VO centric controlScenario many orgs, many VOs,
different needs. Preserve local control
large orgs and enterprises, trust on an organizational level
VO controls what to run where (cycle scavanging, prepackaged binaries, sandboxing)
Lifetime & scale of operations long-lived, static, any scale
long-lived, static, large-scale
long-lived, non-static, large-scale
Lack of support for short-lived lifetimes & small-scale operations
Comparisons
Setup UID+local enforcement Federation VO centric controlTrust anchors CA and VO management (CA), common VO
policyVO (blind trust, reputation)
Commitments CA management (long-term, trustworthy), VO management (???)
Long-term, trustworthy, gateways need to operate according to external requirements
Basically none. Resource providers may come and go
Comparisons
Registration UID+local enforcement Federation VO centric controlBootstrap for resource prov difficult: multiple trust
anchors, local configdifficult: operate trustworthy gw is hard, local config
easy: install sandbox environment
Bootstrap for user Get ID (1, pain) get VO membership (N, less pain)
transparent (reuse organizational trust fabric)
transparent / get VO membership
Bootstrap for VO hard: Management infrastructure (although mileage may vary)
medium: membership description, re-use organizational trust fabric
hard: have to do everything
Comparisons
Security Concerns UID+local enforcement Federation VO centric controlPrivacy / Anonymity Not really (pseudonymity
possible)Yes Yes
Audit Yes Yes Not reallyAcceptance Good Good PoorPolicy Intersection of VO and
local policyIntersection of VO and local policy
VO in complete control
Comparisons
Dynamics UID+local enforcement Federation VO centric controlSetup of 2nd VO easy easy difficultAdding/removing a user difficult easy easyAdding/removing a member org easy difficult easyLusers and Loosers yes no yes
Conclusions
No single model strikes out as #1 Lack of support for short-lived, small-scale,
light-weight operations
Topics for discussion
What model is most likely a best fit fora) academia, b) industry?
Are there alternatives? What characteristics should we focus on in
the near-term?