Working Draft Version 0.9
October 2, 2002
Yuri Demchenko <demch@terena.nl>
Abstracts
This report-overview provides information about OGSA Security architecture
that is the development at GGF and related developments in other standardisation
bodies concerned with defining specifications for Web Services, WS-Security
and related SOAP extensions. Possible use of new developing technologies
for Authentication and Authorisation services (and in general AAA Architecture)
is analysed.
Introduction
A set of specifications defining different components and technical aspects of new emerging XML Web Services architecture is being developed by major standardisation bodies in the industry such as W3C, OASIS, GGF, UDDI and WS-I and others.
XML Web Services specifications stack including Web Services and WSDL, SOAP and XML Protocol together with WS-Security creates a basis for building secure XML Web Services communication architecture. Industry needs in building infrastructure for Virtual Organisations with distributed resources, utilities and production are targeted in initially proposed joint initiative by Global Grid Forum, IBM and Microsoft an Open Grid Services Architecture (OGSA). OGSA itself is built on foundation of XML Web Services. Important component of overall OGSA is an OGSA Security Architecture, which is built on WS-Security basis.
Below is provided short information about activities of major standardisation
bodies active in this area, published documents are referenced and abstracted.
1. XML Web Services standardisation activities: Overview
There are few places of standardisation activity in developing standards
for Web Services (WS) with focus on different problem spaces and communities:
1.1. W3C
W3C has three active WGs (Web Services Architecture WG, XML Protocol WG, Web Services Description WG) that publishing during last months a number of (hign-readiness) specifications defining WSArchitecture, WSDL, SOAP extentions and XML Protocol intended for use with SOAP messaging.
Particular list of these specifications (see [1-11]):
- Web Services Architecture Requirements Second Working Draft
- Web Services Architecture Usage Scenarios Working Draft
- Web Services Description Language (WSDL) Version 1.2 and Web Services
Description Language (WSDL) Version 1.2: Bindings
- XML Protocol (XMLP) Requirements - SOAP Version 1.2 Usage Scenarios,
SOAP Version 1.2 Specification Assertions and Test Collection,
- SOAP Version 1.2 Part 0: Primer, SOAP Version 1.2 Part 1: Messaging
Framework, SOAP Version 1.2 Part 2: Adjuncts
- SOAP 1.2 Attachment Feature Last Call Working Draft
Summary and Observations
1) W3C noticeably activated its work in WS/WSDL/SOAP around and after the GGF5 and with the IBM and Microsoft technological pressure.
2) Published usage scenarios for WS and SOAP are actually provide a good framework for defining upper layer specifications and designing upper layer protocols, particularly related to AAA and based on WS-Security
However, proposed scenarios must be extended with one which is typical for AAA architecture when one of communicating parties request third trusted/administrative party request/response approval.
3) WSDL service serves as an abstraction layer between stateless SOAP communications and stateful, in general, Web Service, i.e. application
4) Declared interactions between different groups/activities: W3C relies
and refers to WS-Security activity under OASIS umbrella
1.2. OASIS
OASIS recently formed Web Services Security (WSS) Technical Cmtee (TC) that had very productive first face-to-face (F2F) meeting on Sept. 4/5, 2002; WSS-TC has very aggressive plans to publish in a time frame of 6 months a few normative documents and number of non-normative documents (still subject for discussion).
Proposed and already published normative documents (see [12-16]):
- WS Security Core Specification (merges two previously published documents WS-Sec and WS-Sec Addendum, with framework from XML-based tokens doc) focusing mostly on Message Security and covering major issues: message security model, message ID referencing, security header, security tokens, token references, signature, encryption, message timestamping;
- WS Security Profile of SAML;
- Web Services Security SAML Token Binding;
- WS Security Kerberos Binding;
- WS Security X.509 Binding.
Proposed non-normative documents (as listed in the minutes):
1. Use cases
2. Primer
3. WS-Security AppNotes
4. Requirements
5. Security Considerations
6. Application of WS-Security to XKMS, Interaction w/ XKMS
7. Conformance Profiles (F2F meeting comment: "defer")
8. Privacy concerns
9. Security token registration (i.e. naming)
10. Best practices
11. Interoperability
12. Testable conformance (F2F meeting comment: "defer")
13. Deployment templates
14. Rationale
15. Issues List (mandatory)
Summary and Observations:
1) OASIS (XML Interoperability Consortium) has strong records in XML standardisation (including ebXML, LegalXML) and in Security Services and therefore has a strong authority in defining acceptable industry policy in WS-Sec.
2) Proposed WS-Security documents are concerned only about secure WS/SOAP messages exchange that may carry some security assertion payload for upper layer security services such as Authorization and Transaction/Conversation, and in this respect are much narrower that proposed in the WS Security Roadmap and derived from it the OGSA Security Roadmap
3) Declared interactions between different groups/activities: WSS-TC
intends to liaison with all major players, in particular with W3C, IETF,
WS-I, UDDI and wants to incorporate/integrate first WS-Security documents
(Architecture and Roadmap) published by Microsoft and IBM
1.3. GGF and joint activity with IBM and Microsoft
IBM and Microsoft announced about their joint efforts with GGF in extending XML Web Services concept to OGSA to describe Grid Services as a model/solution for distributed computing applications, distributed stateful transient services and multidomain Virtual Organisations.
Prio to this IBM and Microsoft had jointly developed Global XML Architecture and number of WS related specifications, some of which were abandoned with further cooperation and joint development with GGF.
Published jointly by IBM and Microsoft on April 5, 2002 document "Web Services Security (WS-Security). Version 1.0" at the same time at the moment is superseded by the recently published by OASIS WSS-TC "WS Security Core Specification".
Another document "Security in a Web Services World: A Proposed Architecture and Roadmap" published at the same time proposed layered model of WS-Security services and outlined wide spectrum of related documents including: WS-Policy, WS-Trust, WS-Privacy, WS-SecureConversation, WS-Federation, WS-Authorization (data and policy).
This specification became a basis for the announced at GGF5 "OGSA Security
Roadmap: Global Grid Forum Specification Roadmap toward a Secure OGSA"
and "The Security Architecture form Open Grid Services" that extended initially
proposed WS-Security Architecture with the Grid specifics and attempted
to map between WS-Security messaging security and Grid Security Services,
listed in table below together with proposed specifications.
| GRID SERVICES | Proposed specification |
| Naming | OGSA Identity |
| OGSA Target/Action Naming | |
| OGSA Attribute and Group Naming | |
| Transient Service Identity Acquisition | |
| Translation between Security Realms | Identity Mapping Service |
| Generic Name Mapping | |
| Policy Mapping Service | |
| Credential Mapping Service | |
| Authentication Mechanism Agnostic | OGSA Certificate Validation Service |
| OGSA-Kerberos Services | |
| Pluggable Session Security | GSSAPI-SecureConversation |
| Pluggable Authorization Service | OGSA-Authorization Service |
| Authorization Policy Management | Coarse-grained Authorization Policy Management |
| Fine-grained Authorization Policy Management | |
| Trust Policy Management | OGSA Trust Service |
| Privacy Policy Management | Privacy Policy Framework |
| VO Policy Management | VO Policy Service |
| Delegation Identity | Assertion Profile |
| Capability Assertion Profile | |
| Firewall Friendly | OGSA Firewall Interoperability |
| Security Policy Expression and Exchange | Grid Service Reference and Service Data |
| Security Policy Decoration | |
| Secure Service Operation | Secure Service’s Policy and Processing |
| Service Data Access Control | |
| Audit and Secure Logging OGSA | Audit Service |
| OGSA Audit Policy Management |
List of major GGF documents is referenced in [18-24].
Summary and Observations:
1) No noticeable development happened in GGF framework with the proposed OGSA Security Roadmap.
Possible reasons may include: no critical mass of interested people with experience in std activity; too complex task for currently used top-down approach; etc.
2) It may be rational in current situation to build new (or updated) OGSA Security specifications on currently being developed WS-Security specifications, which among other issues define SAML security assertions and binding with X.509 and Kerberos.
Other WS-Security issues that may intersect with the OGSA Security roadmap are naming, privacy.
On other hand, issues not tackled by WS-Security: Policy, Authorisation,
Translation between realms, Trust management, Transaction/Session Management,
Audit.
2. Mapping AAA architecture to current WS and WS/OGSA Security specifications: Using proposed WS/OGSA Security specifications for building AAA solutions/applications
Generic AAA architecture is described in RFC2903-2906 (see below [25-28]).
Below are outlined some specific generic AAA Architecture functions and their possible realisation within WS and WS-Security framework:
1) realise layered AAA architecture using common communication protocol and nested SOAP headers (like nested network layer header in standard packet network like TCP/IP) used for transaction/session tracking, message routing, security tokens assertion;
2) use SOAP credentials encapsulation for Authentication (AuthN) and SOAP security tokens/assertions for Authorisation (AuthZ); particular candidate technology for this is SAML (Security Assertion Markup Language), which is successfully use in Internet2 Authorisation application Shibboleth;
3) multidomain/multirealm AAA messaging can be supported by sequent or nested SOAP headers what is supported by SOAP specification; however, AAA generic Architecture requirements to carry out multiple (independent) AuthZ and AuthN in one message may be challenging
4) XML Protocol intended for SOAP messages routing supports target routing and source routing
5) SOAP can use standard XML features/tools (Xlink and XPath) for referencing external (Policy) documents and external SOAP messages, - by means of SOAP id and ref attributes
6) ASM (application Specific Module) expectedly may fit completely into WSDL ServiceType and PortType functionality and therefore maybe be described in WSDL terms; another benefits of this is complimentary (to WS) use of UDDI as a registry for web services and related discovery, update and registration services (which are also web services by definition); application specific coding is interfaced to WSDL description by means of WSDL binding.
Other recently released technologies and solutions that can provide possible solutions for some components of the AAA Architecture:
References
1. SOAP 1.2 Attachment Feature Last Call Working Draft. - http://www.w3.org/TR/2002/WD-soap12-af-20020924/
2. Web Services Architecture Requirements Second Working Draft. - http://www.w3.org/TR/2002/WD-wsa-reqs-20020819/
3. Web Services Architecture Usage Scenarios Working Draft. - http://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/
4. Web Services Description Language (WSDL) Version 1.2 Working Draft - http://www.w3.org/TR/2002/WD-wsdl12-bindings-20020709/
5. Web Services Description Language (WSDL) Version 1.2: Bindings. Working Draft - http://www.w3.org/TR/2002/WD-wsdl12-bindings-20020709/
6. XML Protocol (XMLP) Requirements Working Draft - http://www.w3.org/TR/2002/WD-xmlp-reqs-20020626/
7. SOAP Version 1.2 Usage Scenarios Working Draft - http://www.w3.org/TR/2002/WD-xmlp-scenarios-20020626/
8. SOAP Version 1.2 Specification Assertions and Test Collection (Last Call Working Draft) - http://www.w3.org/TR/2002/WD-soap12-testcollection-20020626/
9. SOAP Version 1.2 Part 0: Primer (Last Call Working Draft) - http://www.w3.org/TR/2002/WD-soap12-part0-20020626/
10. SOAP Version 1.2 Part 1: Messaging Framework (Last Call Working Draft) - http://www.w3.org/TR/2002/WD-soap12-part1-20020626/
11. SOAP Version 1.2 Part 2: Adjuncts (Last Call Working Draft) - http://www.w3.org/TR/2002/WD-soap12-part2-20020626/
12. OASIS Web Services Security (WSS) TC Meeting. Official Minutes, September 4th & 5th 2002 - http://lists.oasis-open.org/archives/wss/200209/msg00085.html
13. Web Services Security X509 Binding Working Draft 01, 18 September 2002 - http://lists.oasis-open.org/archives/wss/200209/pdf00001.pdf
14. Web Services Security Kerberos Binding Working Draft 01, 18 September 2002 - http://lists.oasis-open.org/archives/wss/200209/pdf00002.pdf
15. WS-Security Profile of the OASIS Security Assertion Markup Language (SAML) Working Draft 04, 10 September 2002 - http://lists.oasis-open.org/archives/wss/200209/doc00000.doc
16. Web Services Security Core Specification Working Draft 01, 20 September 2002 - http://lists.oasis-open.org/archives/wss/200209/pdf00000.pdf
17. UDDI Version 3 Features List - http://www.uddi.org/pubs/uddi_v3_features.htm
18. UDDI Version 3.0, Published Specification, Dated 19 July 2002 - http://www.uddi.org/pubs/uddi-v3.00-published-20020719.pdf
19. The Evolution of UDDI UDDI.org White Paper - http://www.uddi.org/pubs/the_evolution_of_uddi_20020719.pdf
18. The Security Architecture for Open Grid Services July 17, 2002, Version 1 - http://www.globus.org/ogsa/Security/OGSA-SecArch-v1-07192002.pdf
19. OGSA Security Roadmap. Global Grid Forum Specification Roadmap towards a Secure OGSA - http://www.globus.org/ogsa/Security/ogsa-sec-roadmap-v13.pdf
21. The Anatomy of the Grid: Enabling Scalable Virtual Organizations - http://www.globus.org/research/papers/anatomy.pdf
22. Grid Service Specification (Draft 3, 7/17/2002)
23. Open Grid Service Infrastructure Working Group (OGSI-WG) - http://www.gridforum.org/ogsi-wg/
24. OGSA Security - http://www.globus.org/ogsa/Security/
25. RFC 2903 , Experimental, "Generic AAA Architecture", C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. Spence, August 2000 - http://www.ietf.org/rfc/rfc2903.txt
26. RFC 2904 , Informational, "AAA Authorization Framework" J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 - http://www.ietf.org/rfc/rfc2904.txt
27. RFC 2905 , Informational, "AAA Authorization Application Examples" J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 - http://www.ietf.org/rfc/rfc2905.txt
28. RFC 2906 , Informational, "AAA Authorization Requirements" S. Farrell, J. Vollbrecht, P. Calhoun, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D.Spence, August 2000 - http://www.ietf.org/rfc/rfc2906.txt
29. Web Site of the CIM based Grid Schema Working Group (CGS WG) - http://www.daasi.de/wgs/CGS
30. Shibboleth Project - http://middleware.internet2.edu/shibboleth/
31. PERMIS (Privilege and Role Management Infrastructure
Standards Validation) - http://sec.isi.salford.ac.uk/permis/