4th Annual PKI R&D Workshop "Multiple Paths to Trust" Proceedings

This paper analyses the simplicity of the trust model adopted by the Shibboleth infrastructure and describes an enhanced distributed trust model and authorisation decision making capability that can be implemented by using X.509 attribute certificates and a Privilege Management Infrastructure such as PERMIS. Several different combinatorial approaches can be taken, depending upon the trust models adopted by the Shibboleth target and origin sites, and each of these are described. The paper also discusses whether user privacy, which is strongly protected by Shibboleth, is bound to be weakened by the use of X.509 attribute certificates rather than simple attributes, and concludes that this does not have to be the case.

[1]  Aman Shaikh,et al.  Routing stability in congested networks: experimentation and analysis , 2000 .

[2]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[3]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[4]  Von Welch,et al.  Fine-Grain Authorization Policies in the GRID: Design and Implementation , 2003, Middleware Workshops.

[5]  Steven Tuecke,et al.  X.509 Proxy Certificates for Dynamic Delegation , 2004 .

[6]  David Wasley,et al.  Shibboleth Architecture Protocols and Profiles , 2005 .

[7]  Hovav Shacham,et al.  Sequential Aggregate Signatures from Trapdoor Permutations , 2004, EUROCRYPT.

[8]  Daniel Behnen,et al.  Improving BGP Convergence Through Consistency Assertions , 2004 .

[9]  Sandra L. Murphy,et al.  BGP Security Vulnerabilities Analysis , 2006, RFC.

[10]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[11]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[12]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[13]  Burton S. Kaliski PKCS #10: Certification Request Syntax Version 1.5 , 1998, RFC.

[14]  Donald F. Ferguson,et al.  The WS-Resource Framework , 2004 .

[15]  David W. Chadwick,et al.  Adding Distributed Trust Management to Shibboleth , 2005 .

[16]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[17]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[18]  David W. Chadwick,et al.  Using SAML to Link the Globus Toolkit to the Permis Authorisation Infrastructure , 2004, Communications and Multimedia Security.

[19]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[20]  Deborah Estrin,et al.  The impact of policy on internet paths , 2001, INFOCOM 2001.

[21]  Russ White Architecture and Deployment Considerations for Secure Origin BGP (soBGP) , 2006 .

[22]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[23]  David M. Nicol,et al.  An analysis of convergence properties of the border gateway protocol using discrete event simulation , 2003 .

[24]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocols , 1999, RFC.

[25]  Steven Tuecke,et al.  An online credential repository for the Grid: MyProxy , 2001, Proceedings 10th IEEE International Symposium on High Performance Distributed Computing.

[26]  Kan Zhang,et al.  Efficient Protocols for Signing Routing Messages , 1998, NDSS.

[27]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[28]  Ramesh Govindan,et al.  Route flap damping exacerbates internet routing convergence , 2002, SIGCOMM 2002.

[29]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[30]  Scott Knight,et al.  Scalability Issues in PMI Delegation , 2002 .

[31]  J. J. Garcia-Luna-Aceves,et al.  Efficient security mechanisms for the border gateway routing protocol , 1998, Comput. Commun..

[32]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[33]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[34]  Sean W. Smith,et al.  Evaluation of efficient security for BGP route announcements using parallel simulation , 2004, Simul. Model. Pract. Theory.