Towards More Flexible and Increased Security and Privacy in Grids
The development of UNICORE started as a Grid-enabling middleware with a monolithic security policy that restricted Grid activities to a set of users whose credentials (X.509 certificates) are pre-recorded in a UNICORE User Database (UUDB), and to a task distribution completely defined at job-submission time because the sub-jobs have to be signed by the user with his private key. Later on projects aiming at allowing a restricted interoperability with other Grid middleware lead to the adoption of more flexible approaches like the the Explicit Trust Delegation (ETD). ETD involves implicitly a more general concept: That of an attribute or role which is attached to an identified and authenticated entity and which defines the extent of the authorisations granted to that entity by the target resource. Extending this concept to other authorisation-related aspects of Grid computing is today an area of intensive research, that should also be taken up by the UNICORE developers in order to enable the creation of Virtual Organisations (VOs) that are able to take security as seriously as necessary, and to opt for flexibility as much as possible.
KeywordsVirtual Organisation Policy Decision Point UNICORE Security Globus Toolkit Security Assertion Markup Language
Unable to display preview. Download preview PDF.
- 1.Goss-Walter, T., Letz, R., Kentemich, T., Hoppe, H.-C., Wieder, P.: An Analysis of the UNICORE Security Model, Global Grid Forum, Grid Forum Document - Informational 18 (GFD-I 18) (2003), http://www.gridforum.org/documents/GFD.18_OnlinePDF.pdf
- 2.Erwin, D. (ed.): UNICORE Plus Final Report (2003), http://www.unicore.org/documents/UNICOREPlus-Final-Report_OnlinePDF.pdf
- 3.Grimm, C., Pattloch, M. (coord.): Analyse von AA-Infrastrukturen in Grid-Middleware, Version 1.1 (March 2006), http://www.d-grid.de/fileadmin/user_upload/documents/DGI-FG3-4/Analyse-AAI_v1_1_OnlinePDF.pdf
- 4.Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure — Certificate and Certificate Revocation List (CRL) Profile, IETF RFC 3280 (April 2002), http://www.ietf.org/rfc/rfc3280.txt
- 8.Alfieri, R., et al.: From gridmap-file to VOMS: managing authorization in a GRID environment (April 2004), http://infnforge.cnaf.infn.it/docman/view.php/7/61/voms-FCGS_OnlinePDF.pdf
- 9.Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, IETF RFC 3820 (June 2004), http://www.ietf.org/rfc/rfc3820.txt
- 10.Snelling, D., van den Berghe, S., Li, V.Q.: Explicit Trust Delegation: Security for Dynamic Grids. Fujitsu Sci. Tech. J. 40(2), 282–294 (2004), http://www.fujitsu.com/downloads/MAG/vol40-2/paper12_OnlinePDF.pdf Google Scholar
- 11.Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization, IETF RFC 3281 (April 2002), http://www.ietf.org/rfc/rfc3281.txt
- 12.CCITT Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1) (1988)Google Scholar
- 13.Security Assertion Markup Language (SAML) v2.0, OASIS Standard (2005), http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip
- 14.eXtensible Access Control Markup Language (XACML) 21.0, OASIS Standard (2005), http://docs.oasis-open.org/xacml/2.0/access_contrpl-xacml-2.0-core-spec-os_OnlinePDF.pdf
- 18.Chadwick, D.W., Novikov, A., Otenko, O.: GridShib and PERMIS Integration. In: Terena Networking Conference 2006, Catania (Sicily), Italy, 15-16 May (2006), http://www.terena.nl/events/tnc2006/core/getfile.php?file_id=753