News Feed
Forgot your password?
New user?
WP7 Identity Management, Authentication & Authorization
TAS3_D07p1 IDM-Authn-Authz V2p1.pdf
TAS3 D7.1 Accepted by European Commission in March 2010. Executive Summary: This document describes the design of the identity management, authentication and authorization infrastructure, which is needed in order to achieve the security, trust and privacy objectives of the TAS3 project. Section 2 of this document describes the overall architecture of the identity management, authentication and authorization infrastructure. Section 2 also describes the obligation infrastructure that supports policy enforcement through the automatic execution of obligations (where this is possible). Section 3 describes the design of the Break the Glass (BTG) infrastructure. BTG allows users who are not normally authorized to access resources, to gain access after first “breaking the glass” in the full knowledge that they will have to answer later to management about this. Section 3 also describes how adaptive audit controls can be supported in order to support BTG policies. Both of these features are enabled through the obligation infrastructure described in Section 2. Section 4 describes the design of a credential aggregation infrastructure where user credentials can be retrieved, aggregated and validated in dynamically changing environments, even when the user is known by different identities at different identity providers. Section 5 describes the multiple policy authorization evaluation infrastructure, which will provide support for multiple authorization policies written in different languages to be evaluated and any conflicts between them to be resolved before the user is granted access to a resource. Section 6 describes the design of the infrastructure for the dynamic delegation of credentials between the various actors of the system, and the verification of these credentials using a Credential Validation Service. Section 7 builds on section 6 and describes how authorization policies can be dynamically managed & updated by multiple distributed dynamically allocated administrators. Section 8 describes how policies (especially privacy policies) can be “stuck” to information, and transported with the information throughout a distributed system. Section 9 briefly introduces the event management infrastructure which is used to support the passing of messages between system components, via the publish and subscribe paradigm, which is described more fully in D8.2. Section 10 describes the ontology for authorization and privacy policies. Section 11 concludes by describing the current limitations in the design to date, and indicating where further work will be done in future iterations of this deliverable, and where future research may still be needed at the end of the TAS3 project. Section 11 also includes details of the standardization work that we have undertaken in the TAS3 project in order to ensure that the authorization infrastructure is not only built on existing standards, but also contributes to future standards in this area.
TAS3_D07p1 Design of Identity Management, Authentication and Authorization Infrastructure v1 2.doc (deprecated)
New release of D7.1 (27 April 2009) not actually accepted by EC but already available for early community comments / review. Executive Summary: This document describes the design of the identity management, authentication and authorization infrastructure which is needed in order to achieve the security, trust and privacy objectives of the TAS3 project. Section 2 of this document describes the overall architecture of the identity management, authentication and authorization infrastructure. Section 3 describes the design of the Break the Glass (BTG) infrastructure. BTG allows users who are not normally authorized to access resources, to gain access after first “breaking the glass” in the full knowledge that they will have to answer later to management about this. Section 3 also describes how adaptive audit controls can be supported in order to support BTG policies. Section 4 describes the design of a credential aggregation infrastructure where user credentials can be retrieved, aggregated and validated in dynamically changing environments, even when the user is known by different identities at different identity providers. Section 5 describes the multiple policy authorization evaluation infrastructure which will provide support for multiple authorization policies written in different languages to be evaluated and any conflicts between them to be resolved before the user is granted access to a resource. Section 6 describes the design of the infrastructure for the dynamic delegation of credentials between the various actors of the system. Section 7 builds on section 6 and describes how authorization policies can be dynamically managed & updated by multiple distributed dynamically allocated administrators. Section 8 describes how policies (especially privacy policies) can be “stuck” to information, and transported with the information throughout a distributed system. Section 9 describes the event management infrastructure which is used to support the passing of messages between system components, via the publish and subscribe paradigm. Section 10 describes the ontology for authorization and privacy policies. Section 11 concludes by describing the current limitations in the design to date, and indicating where further work will be done in future iterations of this deliverable, and where future research may still be needed at the end of the TAS3 project. Section 11 also includes details of the standardization work that we have undertaken in the TAS3 project in order to ensure that the authorization infrastructure is not only built on existing standards, but also contributes to future standards in this area.
TAS3_D07p1 Design of Identity Management, Authentication and Authorization Infrastructure V1p0.pdf (deprecated)
Design of Identity Management, Authentication and Authorization Infrastructure. Deliverable reviewed and accepted by the European Commission. Executive Summary: This document describes the design of the identity management, authentication and authorization infrastructure which is needed in order to achieve the security, trust and privacy objectives of the TAS3 project. Section 2 of this document describes the overall architecture of the identity management, authentication and authorization infrastructure. Section 3 describes the design of the Break the Glass (BTG) infrastructure. BTG allows users who are not normally authorized to access resources, to gain access after first “breaking the glass” in the full knowledge that they will have to answer later to management about this. Section 3 also describes how adaptive audit controls can be supported in order to support BTG policies. Section 4 describes the design of a credential aggregation infrastructure where user credentials can be retrieved, aggregated and validated in dynamically changing environments, even when the user is known by different identities at different identity providers. Section 5 describes the multiple policy authorization evaluation infrastructure which will provide support for multiple authorization policies written in different languages to be evaluated and any conflicts between them to be resolved before the user is granted access to a resource. Section 6 describes the design of the infrastructure for the dynamic delegation of credentials between the various actors of the system. Section 7 builds on section 6 and describes how authorization policies can be dynamically managed & updated by multiple distributed dynamically allocated administrators. Section 8 describes how policies (especially privacy policies) can be “stuck” to information, and transported with the information throughout a distributed system. Section 9 describes the event management infrastructure which is used to support the passing of messages between system components, via the publish and subscribe paradigm. Section 10 describes the ontology for authorization and privacy policies. Section 11 concludes by describing the current limitations in the design to date, and indicating where further work will be done in future iterations of this deliverable, and where future research may still be needed at the end of the TAS3 project. Section 11 also includes details of the standardization work that we have undertaken in the TAS3 project in order to ensure that the authorization infrastructure is not only built on existing standards, but also contributes to future standards in this area.
TAS3_D7p2 Open_Source_Software V1p01.pdf
TAS3 D7.2 Accepted by European Commission in March 2010. Executive Summary: This document describes the open source software made available to the TAS3 project and the global community by the Information Systems Security Research Group of the University of Kent. Within the realm of the TAS3 project, the group has made four software packages publicly available, each of which implement one or more TAS3 components. The currently available software packages are: - A standalone authorisation server package which provides access control and credential validation functionality. This software package also provides limited Master PDP functionality as it is possible to configure the authorization web service with three different policy types: PERMIS policies, XACML policies and Trust Policies. - The Secure Audit Trail for Web Services (SAWS) package which provides the functionality to create a secure audit trail of messages sent to it. The package also supports off-line searching of the audit trail. - The Delegation Issuing Service (DIS) which empowers end users to dynamically delegate some of their attributes (privileges) to others in accordance with a delegation policy. - The PERMIS Policy Editor (PE) which provides users with the ability to write PERMIS authorisation and delegation policies while being shielded from the underlying XML policy language. This software package has three modes of operation: one can use the Policy Wizard, the Controlled Natural Language Processing (CNLP) interface or the main GUI itself. For the next releases of the software, we plan the enhancement and addition of the following features: - The standalone authorisation server will see its obligation handling capability (which is currently only in beta-state) enhanced; full support for Break The Glass authorization decisions will be added; the Master PDP functionality will be enhanced so as to support the dynamic creation of PDPs (needed for sticky policies) and use of a conflict resolution policy. - The main enhancement to the SAWS package will be the addition of a web service based searching functionality with proper authorization and filtering of results built in. - The Delegation Issuing Service will be enhanced to include the push mode of operation. Also, privacy preserving delegation (delegation by invitation) will be supported. - The Policy Editor GUI is already quite mature. We only expect to make minor enhancements to the main GUI based on TAS3 user feedback. The CNLP engine on the other hand is very new and will be enhanced to allow different variants of existing sentences as well as new sentences to be parsed correctly, as a result of usability trials that are currently being undertaken.
