© 2006 Open Grid Forum

OGF20 LoA-RG

Monday 11:00am Charter Suite 4

Chairs: Ning Zhang and Yoshio Tanaka

2© 2007 Open Grid Forum

Agenda today

• LoA-RG Charter• Authentication use-cases• Identifying LoA attributes

3© 2007 Open Grid Forum

Administrative Information

• Name and Acronym:• OGF LoA-RG (Levels of authentication Assurance

– Research Group)• Chairs:• Ning Zhang, ning.zhang@manchester.ac.uk.• Yoshio Tanaka, yoshio.tanaka@aist.go.jp.• Email list:• loa-bof@ogf.org• Web page: • https://forge.gridforum.org/sf/wiki/do/viewPage/

projects.sec/wiki/LoAI

4© 2007 Open Grid Forum

Group Mission

• AuthN LoA• is determined by AuthN methods/processes/procedures• should be a factor in controlling the access to resources

with varying sensitivity levels and/or in environments with varying risk levels

• This LoA-RG is aimed at • investigating use case scenarios in the e-Science/Grid

contexts, and • identifying gaps in applying existing LoA definitions to

such contexts

5© 2007 Open Grid Forum

Group Scope

• The LoA-RG tackles the issues related to defining the criteria for assurance assessment, the identification of gaps between the criteria defined by other standards bodies (in particular NIST, ETSI and EU standards) and the relevant grid use cases for (identity) assertions.

• The LoA-RG will NOT pursue the conveyance of LoA assertions in authentication protocols, or the technical consumption of such assertions by software. These topics are within the remit of the OGSA-AuthN-WG (proposed)

• The LoA-RG will NOT pursue the definition of identity levels and policies, or the implementation thereof. These topics are within the remit of the grid participants, their management, regulatory bodies and coordinating groups (CAOPS-WG, IGTF, inCommon, etc).

• The LoA-RG will NOT define any standards or recommendations under this charter.

6© 2007 Open Grid Forum

Output - 1

• Title: A risk analysis in relation to LoA and use case gathering in an e-Science context

• Editor: Michael Helm • Abstract: This document will present a risk analysis from

the prospective of relying parties (or service providers). It will address such questions as:• What is it that relying parties really need to know about an identity

assertion?• What qualities do they require?• Which attributes do they 'need to know' about an assertion

provider in order to decide on trust in the assertion?• The document will also gather specific use cases in relation to LoA

in the context.

7© 2007 Open Grid Forum

Output - 2

• Title: A gap analysis of current LoA definitions versus LoA requirements in e-Science/Grid context

• Editors: N Zhang, M Jones, and A Nenadic • Abstract: This document will give an overview of

current LoA definitions and the related efforts, and identify gaps between these definitions and the potential use of LoA in the e-Science/Grid context.

8© 2007 Open Grid Forum

Authentication Use-cases

• To identify gaps in existing LoA definitions, we need to identify attributes that may affect the values of LoA in different Grid authentication scenarios• AuthN Usecase -1: End entity to service direct

authentication using end-entity credentials• AuthN Usecase -2: End entity to service authentication

using proxy credentials stored locally• AuthN Usecase -3: End entity to service authentication

using proxy credentials stored remotely• AuthN Usecase -4: End entity to IdP authentication +

IdP to service assertion

9© 2007 Open Grid Forum

LoA attributes

• Identity vetting/proofing• Credential issuance• Certification Authority (CA)• Credential types

• Biometrics, PKI credentials, username/password pairs, One-time password, proxy credentials

• Key stores• Soft token (desktop key store), Hard token (smartcard key store), Secure

coprocessor, online credential repository (myproxy or virtual smartcard) • Credential strengths

• Password entropy: password space, password length, mixed use of lower/upper case, digits, etc, not dictionary words, validity duration

• PKI credential strength: key size, algorithm, validity duration• Proxy credential strength: validity duration, depth of delegation

• Assertion message reliability• Validity duration• How attributes are stored and managed – procedures and policies are required to

govern these• Signature strength: signature key size, signature algorithm, hash function strength• How assertion messages are conveyed• Reliable source of time

10© 2007 Open Grid Forum

AuthN Usecase - 1

• User to Service direct authN using ID credentials• LoA attributes

• Token type (key storage), credential strength, authentication protocols, message level or transport level

Grid Services

Grid Services

User

Authenticate and access services using end-entity’s credential, e.g. username/password

Message level or transport level

(SSL)

11© 2007 Open Grid Forum

AuthN Usecase - 2

• Authenticate using end-entity’s proxy credential stored locally• How proxy is activated (activating token type and

strength), where the proxy is stored (key store)• Proxy credential strength (key size, and delegation

depth)

Grid Services

Grid Services

User

ClientAuthentication using

proxy

User local authN to activate the proxy credential

12© 2007 Open Grid Forum

AuthN Usecase - 3

Online Credential Repository (OCR)

Grid Services

Grid ServicesClient

Proxy credential sent by Client

Proxy credential sent from OCRClient-to-RP authN and

proxy credential retrieval

User

Long term credential

13© 2007 Open Grid Forum

AuthN Usecase - 3

• End-entity to OCR authN: • All the attributes defined for {AuthN Usecase -1} apply

here• OCR’s assurance level• Client to Service authN using proxy, or Service

fetches proxy directly from OCR• Proxy strength• Delegation depth• Accompanying intermediary’s credential?• Proxy transmission channel security strength

• Method/algorithm is required to calculate the overall LoA?

14© 2007 Open Grid Forum

AuthN Usecase - 4

IdP

Grid Services

Grid Services

Client User’s ID/attribute assertions

End entity authentication with IdP

Attributes Authority

15© 2007 Open Grid Forum

AuthN Usecase - 4

• End-entity to IdP authN: {AuthN Usecase – 1}• IdP trust level = accredited with what level (dictated by

procedures and policy)?• How attributes are stored and protected at the IdP (i.e. IdP’s

assurance level) • Signed and stored, or bare attributes?

• How assertion messages are conveyed?• Message level or over SSL

• Assertion message security strength • Signature key strength,• Signature key storage, • signature algorithm ID/strength, and• hash function strength

• Method/algorithm is required to calculate the overall LoA?

16© 2007 Open Grid Forum

Acknowledgements + Survey

• Thank David Groep and Blair Dillaway for their contributions to the Charter

• Thank Yao Li, the University of Manchester, for his work on authentication usecase models

• LoA survey available at: http://www.es-loa.org/output

17© 2007 Open Grid Forum

OGF IPR Policies Apply

• “I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy.”• Intellectual Property Notices Note Well: All statements related to the activities of the OGF and addressed to

the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to:

• the OGF plenary session, • any OGF working group or portion thereof, • the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning under OGF auspices, • the OGF Editor or the document authoring and review process

• Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions.

• Excerpt from Appendix B of GFD-C.1: ”Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non-discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification.”

• OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.

18© 2007 Open Grid Forum

Full Copyright Notice

Copyright (C) Open Grid Forum (applicable years). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.

The limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.