wiki:AuthStoryBoard

Version 1 (modified by chase@cs.duke.edu, 13 years ago) (diff)

New page for the Gospel According to Chase.

This is a work in progress, 12/6/11 (Jeff Chase).

This page is the portal to a series of ppt twitters dealing with GENI's emerging federated authorization system, with a strong dose of advocacy for declarative trust management with automated inference, using a role-based trust delegation logic ("ABAC"). A ppt twitter is a powerpoint deck with a soft limitation of 20 slides.

Although this space focuses on authorization, it also bears on related topics that are often intertwined with GENI "control framework architecture". The various testbeds predating GENI evolved various authorization structures to meet the practical needs of testbed deployments. Much of the activity in the GENI control framework space (e.g., the SFA effort) is best understood as an exercise in retrofitting federation support onto these testbeds, so that we may interconnect them. At the same time, the GPO has envisioned a system with strong central control and safety restraints, e.g., through a "Clearinghouse" that performs various authorization functions centrally. The challenge of bridging the gap has led GENI architects to spend a lot of time talking about authorization structure. Some very large GPO Control Framework documents that circulated in 2009 deal almost exclusively with authorization.

One goal of this work is to cleanly separate the authorization entities that were bundled together in the Clearinghouse and various testbed frameworks (identity management and authorization of GENI projects and slices), and separate them from questions of control framework architecture. Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity, trust management, delegation logic, and role-based trust. Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools. There have also been large investments in federated identity deployments: Shibboleth, SAML, inCommon.

Attachments (8)