This page contains notes building towards a formal document regarding the role of Shibboleth with grids. It necessarily challenges some basic assumptions of the way that authentication and authorisation are currently managed in grids.
This work forms the bulk of the eSP-grid workpackage five (Shibboleth Evaluation).
Contents
- [#intro Introduction: how to use this document]
- [#contempassumpts Contemporary Assumptions]
- [#mustscale Grids must scale] ; [#identitymanscalability Identity management is a scalability bottleneck] ; [#identtrustorg Identity is best managed by a very trustworthy organisation] ; [#attributemanscale Attribute management is a scalability bottleneck] ; [#trustminimum Trust must be kept to a minimum on grids] ; [#securityieinadeq Security levels in the 'information environment' are inadequate]
- [#PKIvsassumpts How does PKI live up to these assumptions?]
- [#PKImustscale Grids must scale] ; [#PKIidentitymanscalability Identity management is a scalability bottleneck] ; [#PKIidenttrustorg Identity is best managed by a very trustworthy organisation] ; [#PKIattributemanscale Attribute management is a scalability bottleneck] ; [#PKItrustminimum Trust must be kept to a minimum on grids] ; [#PKIsecurityieinadeq Security levels in the 'information environment' are inadequate]
- [#SHIBrole How could Shibboleth play a role?]
- [#SHIBmustscale Grids must scale] ; [#SHIBidentitymanscalability Identity management is a scalability bottleneck] ; [#SHIBidenttrustorg Identity is best managed by a very trustworthy organisation] ; [#SHIBattributemanscale Attribute management is a scalability bottleneck] ; [#SHIBtrustminimum Trust must be kept to a minimum on grids] ; [#SHIBsecurityieinadeq Security levels in the 'information environment' are inadequate]
- [#conclusions Conclusions]
Introduction: how to use this document
Following this introduction, this document is arranged into three major sections. The first addresses the [#contempassumpts Contemporary Assumptions] of grid security and other aspects of access management. Most of the assumptions portrayed are based on sound security principles, but some are possibly a little misplaced. Following this assertion of the current basic principles, we consider (briefly) [#PKIvsassumpts How PKI lives up to these assumptions], considering each assumption in turn. This is followed by a similar treatment regarding [#SHIBrole How Shibboleth could play a role]. This is followed by the general [#conclusions Conclusions].
Contemporary Assumptions
Grids must scale
"The Grid" or "grids" are currently viewed by many as to be at the equivalent stage of conceptual development as was the world wide web and information environment intranets in the late 1980s. There is a widespread assumption that grid use will grow enormously as more people (and other end entities) find a use for high powered and distributed (computing) resources. It is also clear that access management is a far greater issue than for the web, as much more than 'read only' access is required. We have to assume, therefore, that secure access management is a current limiting factor for the ability of the technologies to scale to serve high numbers of users. As an extension to this assumption, resource owners of computing power and expensive instrumentation are far more likely to open up their resources to a grid if they are confident that their resources are secure from harm and the use of unauthorised others outside their (grid) community.
Anchor(identitymanscalability)
Identity management is a scalability bottleneck
Unlike a resource that is meant to be accessed 'read-only', a grid needs to identify its users. The management of those identities is an onerous task and one that needs to be executed via policies which all owners of grid resources can trust. As the numbers of users (or end entities) increases, this becomes an even more difficult task.
Identity is best managed by a very trustworthy organisation
The concept of authentication is often (erroneously) associated with the separate elements of identity establishment and subsequent on-line authentication. Authentication is the act of verifying that an electronic identity (username, distinguished name etc.) is being employed by the entity, person or process to whom it was issued. Therefore, this relies upon the fact that the electronic identity was issued accurately in the first place. Thus, this early establishment of identity and the subsequent use of the identity needs to be managed by a trustworthy organisation.
Attribute management is a scalability bottleneck
A user's attributes (roles, status etc.) change frequently, whereas his/her identity should change very infrequently. Therefore, the management of such attributes - which may be used as decision-triggers during authorisation - may be more onerous than the management of the identity.
Trust must be kept to a minimum on grids
This is always true as a general principle. Nevertheless, people often do not consider the related question of the difficulty of the task that they are choosing to trust another entity to carry out. For example, it may be better to trust a total of three entities to carry out a task (if it can be divided and where each sub-task is appropriately handled by each entity) than to trust one entity to carry out that same task (if the task is too difficult for that one entity).
Security levels in the 'information environment' are inadequate
By 'information environment' we mean the environment that is managed for most of the users who join a local network and access many (often web based) resources. It is in contrast to a 'grid' environment.
This assumption has been included so that it can be explored further, below. Many consider that large grids cannot trust the identity management and authentication credentials issued from users' home organisations where levels of security may reflect the historic situation where users play more passive roles. In short, many grid users believe that universities, businesses and government agencies - to name a few examples - cannot be trusted to manage identities and user attributes that are used on grids.
How does PKI live up to these assumptions?
Grids must scale
Anchor(PKIidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by a very trustworthy organisation
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the 'information environment' are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.
How could Shibboleth play a role?
Grids must scale
Anchor(SHIBidentitymanscalability)
Identity management is a scalability bottleneck
Identity is best managed by a very trustworthy organisation
But need not be - identity is easier to manage than role etc.
Attribute management is a scalability bottleneck
Trust must be kept to a minimum on grids
Yes, general principle is true. However, as a resource owner it may not be possible to manage more than n users and therefore you have to trust third parties. Even for a very low number of users, a grid resource owner may be the last to find out that a user has been convicted as a criminal for fraud, or has been determined to have hacked another resource.
Security levels in the information environment are inadequate
Grid cannot trust levels of authN in users home organisations. Grid RAs and CAs are better.