Distributed Security Architectures    Distributed Systems Department NERSC Division Lawrence Berkeley National Laboratory

The overall goal of this project is to provide assured, policy-based access control for computer mediated resources such as data archives and instrument systems, that operate in wide area network environments; grid services such as network monitoring, computing resources and data transfer; and potentially fine-grained, object method level access control (such as might be used to implement method access in the WebDAV protocol).

We propose to continue investigating and implementing practical solutions to the security needs of distributed systems based on the emerging PKI standards and implementations. In particular, to provide a modular authorization service that compares a requestor's authenticated X.509 identity certificate with a set of signed policy documents describing the access policy for the requested resource. These policy documents are created and maintained by stakeholders for the resource, independent of the resource server platform.

In addition future work will focus on integrating our authorization mechanism with the core of emerging standards such as the IETF's Proxy certificates with rights restrictions, the XML access and policy languages: SAML and XACML, and the Grid services (WSRF) authorization standards. We plan to expand the Akenti policy implementation in order to integrate it with a grid monitoring system and to provide access control for secure multicast groups.

For more infomation see the 2-page project summary prepared for the March 2004 SciDAC PI's meeting.

---

Page last modified: Friday, 27-Feb-2004 11:02:34 PST Credits:Distributed Security research and development is funded by the U.S. Dept. of Energy, Office of Science, Office of Advanced Scientific Computing Research, Mathematical, Information, and Computational Sciences Division. Privacy and site security notice to Users

---