Security Architecture for Open Grid Services and related developments
GGF5 and follow-on developments overview

Working Draft Version 0.9
October 2, 2002

Yuri Demchenko <>


This report-overview provides information about OGSA Security architecture that is the development at GGF and related developments in other standardisation bodies concerned with defining specifications for Web Services, WS-Security and related SOAP extensions. Possible use of new developing technologies for Authentication and Authorisation services (and in general AAA Architecture) is analysed.


A set of specifications defining different components and technical aspects of new emerging XML Web Services architecture is being developed by major standardisation bodies in the industry such as W3C, OASIS, GGF, UDDI and WS-I and others.

XML Web Services specifications stack including Web Services and WSDL, SOAP and XML Protocol together with WS-Security creates a basis for building secure XML Web Services communication architecture. Industry needs in building infrastructure for Virtual Organisations with distributed resources, utilities and production are targeted in initially proposed joint initiative by Global Grid Forum, IBM and Microsoft an Open Grid Services Architecture (OGSA). OGSA itself is built on foundation of XML Web Services. Important component of overall OGSA is an OGSA Security Architecture, which is built on WS-Security basis.

Below is provided short information about activities of major standardisation bodies active in this area, published documents are referenced and abstracted.

1. XML Web Services standardisation activities: Overview

There are few places of standardisation activity in developing standards for Web Services (WS) with focus on different problem spaces and communities:

1.1. W3C

W3C has three active WGs (Web Services Architecture WG, XML Protocol WG, Web Services Description WG) that publishing during last months a number of (hign-readiness) specifications defining WSArchitecture, WSDL, SOAP extentions and XML Protocol intended for use with SOAP messaging.

Particular list of these specifications (see [1-11]):

- Web Services Architecture Requirements Second Working Draft
- Web Services Architecture Usage Scenarios Working Draft
- Web Services Description Language (WSDL) Version 1.2 and Web Services Description Language (WSDL) Version 1.2: Bindings
- XML Protocol (XMLP) Requirements - SOAP Version 1.2 Usage Scenarios, SOAP Version 1.2 Specification Assertions and Test Collection,
- SOAP Version 1.2 Part 0: Primer, SOAP Version 1.2 Part 1: Messaging Framework, SOAP Version 1.2 Part 2: Adjuncts
- SOAP 1.2 Attachment Feature Last Call Working Draft

Summary and Observations

1) W3C noticeably activated its work in WS/WSDL/SOAP around and after the GGF5 and with the IBM and Microsoft technological pressure.

2) Published usage scenarios for WS and SOAP are actually provide a good framework for defining upper layer specifications and designing upper layer protocols, particularly related to AAA and based on WS-Security

However, proposed scenarios must be extended with one which is typical for AAA architecture when one of communicating parties request third trusted/administrative party request/response approval.

3) WSDL service serves as an abstraction layer between stateless SOAP communications and stateful, in general, Web Service, i.e. application

4) Declared interactions between different groups/activities: W3C relies and refers to WS-Security activity under OASIS umbrella

1.2. OASIS

OASIS recently formed Web Services Security (WSS) Technical Cmtee (TC) that had very productive first face-to-face (F2F) meeting on Sept. 4/5, 2002; WSS-TC has very aggressive plans to publish in a time frame of 6 months a few normative documents and number of non-normative documents (still subject for discussion).

Proposed and already published normative documents (see [12-16]):

- WS Security Core Specification (merges two previously published documents WS-Sec and WS-Sec Addendum, with framework from XML-based tokens doc) focusing mostly on Message Security and covering major issues: message security model, message ID referencing, security header, security tokens, token references, signature, encryption, message timestamping;

- WS Security Profile of SAML;
- Web Services Security SAML Token Binding;
- WS Security Kerberos Binding;
- WS Security X.509 Binding.

Proposed non-normative documents (as listed in the minutes):

1. Use cases
2. Primer
3. WS-Security AppNotes
4. Requirements
5. Security Considerations
6. Application of WS-Security to XKMS, Interaction w/ XKMS
7. Conformance Profiles (F2F meeting comment: "defer")
8. Privacy concerns
9. Security token registration (i.e. naming)
10. Best practices
11. Interoperability
12. Testable conformance (F2F meeting comment: "defer")
13. Deployment templates
14. Rationale
15. Issues List (mandatory)

Summary and Observations:

1) OASIS (XML Interoperability Consortium) has strong records in XML standardisation (including ebXML, LegalXML) and in Security Services and therefore has a strong authority in defining acceptable industry policy in WS-Sec.

2) Proposed WS-Security documents are concerned only about secure WS/SOAP messages exchange that may carry some security assertion payload for upper layer security services such as Authorization and Transaction/Conversation, and in this respect are much narrower that proposed in the WS Security Roadmap and derived from it the OGSA Security Roadmap

3) Declared interactions between different groups/activities: WSS-TC intends to liaison with all major players, in particular with W3C, IETF, WS-I, UDDI and wants to incorporate/integrate first WS-Security documents (Architecture and Roadmap) published by Microsoft and IBM

1.3. GGF and joint activity with IBM and Microsoft

IBM and Microsoft announced about their joint efforts with GGF in extending XML Web Services concept to OGSA to describe Grid Services as a model/solution for distributed computing applications, distributed stateful transient services and multidomain Virtual Organisations.

Prio to this IBM and Microsoft had jointly developed Global XML Architecture and number of WS related specifications, some of which were abandoned with further cooperation and joint development with GGF.

Published jointly by IBM and Microsoft on April 5, 2002 document "Web Services Security (WS-Security). Version 1.0" at the same time at the moment is superseded by the recently published by OASIS WSS-TC "WS Security Core Specification".

Another document "Security in a Web Services World: A Proposed Architecture and Roadmap" published at the same time proposed layered model of WS-Security services and outlined wide spectrum of related documents including: WS-Policy, WS-Trust, WS-Privacy, WS-SecureConversation, WS-Federation, WS-Authorization (data and policy).

This specification became a basis for the announced at GGF5 "OGSA Security Roadmap: Global Grid Forum Specification Roadmap toward a Secure OGSA" and "The Security Architecture form Open Grid Services" that extended initially proposed WS-Security Architecture with the Grid specifics and attempted to map between WS-Security messaging security and Grid Security Services, listed in table below together with proposed specifications.
GRID SERVICES Proposed specification
Naming OGSA Identity
OGSA Target/Action Naming
OGSA Attribute and Group Naming
Transient Service Identity Acquisition
Translation between Security Realms  Identity Mapping Service
Generic Name Mapping
Policy Mapping Service
Credential Mapping Service
Authentication Mechanism Agnostic  OGSA Certificate Validation Service
OGSA-Kerberos Services
Pluggable Session Security  GSSAPI-SecureConversation
Pluggable Authorization Service  OGSA-Authorization Service
Authorization Policy Management  Coarse-grained Authorization Policy Management
Fine-grained Authorization Policy Management
Trust Policy Management  OGSA Trust Service
Privacy Policy Management  Privacy Policy Framework
VO Policy Management  VO Policy Service
Delegation Identity  Assertion Profile
Capability Assertion Profile
Firewall Friendly  OGSA Firewall Interoperability
Security Policy Expression and Exchange Grid Service Reference and Service Data
Security Policy Decoration
Secure Service Operation  Secure Service’s Policy and Processing
Service Data Access Control
Audit and Secure Logging OGSA  Audit Service
OGSA Audit Policy Management

List of major GGF documents is referenced in [18-24].

Summary and Observations:

1) No noticeable development happened in GGF framework with the proposed OGSA Security Roadmap.

Possible reasons may include: no critical mass of interested people with experience in std activity; too complex task for currently used top-down approach; etc.

2) It may be rational in current situation to build new (or updated) OGSA Security specifications on currently being developed WS-Security specifications, which among other issues define SAML security assertions and binding with X.509 and Kerberos.

Other WS-Security issues that may intersect with the OGSA Security roadmap are naming, privacy.

On other hand, issues not tackled by WS-Security: Policy, Authorisation, Translation between realms, Trust management, Transaction/Session Management, Audit.

2. Mapping AAA architecture to current WS and WS/OGSA Security specifications: Using proposed WS/OGSA Security specifications for building AAA solutions/applications

Generic AAA architecture is described in RFC2903-2906 (see below [25-28]).

Below are outlined some specific generic AAA Architecture functions and their possible realisation within WS and WS-Security framework:

1) realise layered AAA architecture using common communication protocol and nested SOAP headers (like nested network layer header in standard packet network like TCP/IP) used for transaction/session tracking, message routing, security tokens assertion;

2) use SOAP credentials encapsulation for Authentication (AuthN) and SOAP security tokens/assertions for Authorisation (AuthZ); particular candidate technology for this is SAML (Security Assertion Markup Language), which is successfully use in Internet2 Authorisation application Shibboleth;

3) multidomain/multirealm AAA messaging can be supported by sequent or nested SOAP headers what is supported by SOAP specification; however, AAA generic Architecture requirements to carry out multiple (independent) AuthZ and AuthN in one message may be challenging

4) XML Protocol intended for SOAP messages routing supports target routing and source routing

5) SOAP can use standard XML features/tools (Xlink and XPath) for referencing external (Policy) documents and external SOAP messages, - by means of SOAP id and ref attributes

6) ASM (application Specific Module) expectedly may fit completely into WSDL ServiceType and PortType functionality and therefore maybe be described in WSDL terms; another benefits of this is complimentary (to WS) use of UDDI as a registry for web services and related discovery, update and registration services (which are also web services by definition); application specific coding is interfaced to WSDL description by means of WSDL binding.

Other recently released technologies and solutions that can provide possible solutions for some components of the AAA Architecture:


1. SOAP 1.2 Attachment Feature Last Call Working Draft. -

2. Web Services Architecture Requirements Second Working Draft. -

3. Web Services Architecture Usage Scenarios Working Draft. -

4. Web Services Description Language (WSDL) Version 1.2 Working Draft -

5. Web Services Description Language (WSDL) Version 1.2: Bindings. Working Draft -

6. XML Protocol (XMLP) Requirements Working Draft -

7. SOAP Version 1.2 Usage Scenarios Working Draft -

8. SOAP Version 1.2 Specification Assertions and Test Collection (Last Call Working Draft) -

9. SOAP Version 1.2 Part 0: Primer (Last Call Working Draft) -

10. SOAP Version 1.2 Part 1: Messaging Framework (Last Call Working Draft) -

11. SOAP Version 1.2 Part 2: Adjuncts (Last Call Working Draft) -

12. OASIS Web Services Security (WSS) TC Meeting. Official Minutes, September 4th & 5th 2002 -

13. Web Services Security X509 Binding Working Draft 01, 18 September 2002 -

14. Web Services Security Kerberos Binding Working Draft 01, 18 September 2002 -

15. WS-Security Profile of the OASIS Security Assertion Markup Language (SAML) Working Draft 04, 10 September 2002 -

16. Web Services Security Core Specification Working Draft 01, 20 September 2002 -

17. UDDI Version 3 Features List -

18. UDDI Version 3.0, Published Specification, Dated 19 July 2002 -

19. The Evolution of UDDI White Paper -

18. The Security Architecture for Open Grid Services July 17, 2002, Version 1 -

19. OGSA Security Roadmap. Global Grid Forum Specification Roadmap towards a Secure OGSA -

20. The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration (Draft 2.9, 6/22/2002)

21. The Anatomy of the Grid: Enabling Scalable Virtual Organizations -

22. Grid Service Specification (Draft 3, 7/17/2002)

23. Open Grid Service Infrastructure Working Group (OGSI-WG) -

24. OGSA Security -

25. RFC 2903 , Experimental, "Generic AAA Architecture", C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. Spence, August 2000 -

26. RFC 2904 , Informational, "AAA Authorization Framework" J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 -

27. RFC 2905 , Informational, "AAA Authorization Application Examples" J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 -

28. RFC 2906 , Informational, "AAA Authorization Requirements" S. Farrell, J. Vollbrecht, P. Calhoun, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 -

29. Web Site of the CIM based Grid Schema Working Group (CGS WG) -

30. Shibboleth Project -

31. PERMIS (Privilege and Role Management Infrastructure Standards Validation) -