The requirements are of two types: CONSENSUS and SITE. CONSENSUS requirements are those required by all sites participating in this project. The reader should have high confidence that these are generally required by large sites. SITE requirements are tagged by the site with the requirement. One example of SITE requirements are the minimum level of authentication strength required for various access levels.
Current status of this document is DRAFT and it is a work in progress. Comments and requests for clarification are welcomed.
1) Authentication:
Multiple Levels of Minimum Authentication Strength requirements
are expected depending on the types of access requested. So far
the following levels have been proposed. ( higher levels inherit
all preceding requirements)
1.1) File transfer and "canned job" execution
1.2) Batch jobs
Revocation service for all longlived PKI credentials [FNAL]
latency must be less than shortlive max. lifetime
Revocation service must fail closed (Default DENY)
No user read access to private keys of life > 1Msec. [FNAL]
1.3) Login access
1.4) Priveleged Account login access
2) Authorization:
2.1) Presentation of identity certificate of original requester
with all authentication requests. [CONSENSUS]
2.2) Uniform API for (optionally mandatory) site authorization
service request. [CONSENSUS]
2.2.1 MUST return Boolean status indicating approval. [CONSENSUS]
2.2.2 SHOULD return local identity string.
(Optionally return local authentication token ?)
2.3) Any renewal service for credentials MUST reinvoke the
authorization chain. [CONSENSUS]
2.3.1) (Do we specify that upon DENY response, tasks MUST abort ?)
3) Accounting:
_______________________________________________
Ppdg-siteaa mailing list
Ppdg-siteaa@ppdg.net
http://www.ppdg.net/mailman/listinfo/ppdg-siteaa
PPDG Site AAA Mailing List
Last modified: Wed Sep 4 10:23:56 CDT 2002