Internet Engineering Task Force (IETF)                     R. Smith, Ed.
Request for Comments: 7832                                          Jisc
Category: Informational                                         May 2016
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                     R. Smith, Ed.
Request for Comments: 7832                                          Jisc
Category: Informational                                         May 2016
ISSN: 2070-1721
        

Application Bridging for Federated Access Beyond Web (ABFAB) Use Cases

用于超越Web的联合访问(ABFAB)用例的应用程序桥接

Abstract

摘要

Federated identity is typically associated with web-based services at present, but there is growing interest in its application in non-web-based contexts. The goal of this memo is to document a selection of the wide variety of these contexts whose user experience could be improved through the use of technologies based on the Application Bridging for Federated Access Beyond web (ABFAB) architecture and specifications.

目前,联邦身份通常与基于web的服务相关联,但在非基于web的上下文中,对其应用的兴趣越来越大。本备忘录的目标是记录各种各样的上下文,这些上下文的用户体验可以通过使用基于应用程序桥接的技术来改善,以实现web之外的联合访问(ABFAB)体系结构和规范。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7832.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7832.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Context of Use Cases ............................................3
   3. Use Cases .......................................................3
      3.1. Cloud Services .............................................3
           3.1.1. Cloud-Based Application Services ....................4
           3.1.2. Cloud-Based Infrastructure Services .................5
      3.2. High-Performance Computing .................................6
      3.3. Grid Infrastructure ........................................6
      3.4. Databases and Directories ..................................7
      3.5. Media Streaming ............................................8
      3.6. Printing ...................................................9
      3.7. Accessing Applications from Devices on a Telecoms
           Infrastructure .............................................9
      3.8. Enhanced Security Services for S/MIME .....................10
      3.9. Smart Objects .............................................11
   4. Security Considerations ........................................11
   5. References .....................................................12
      5.1. Normative References ......................................12
      5.2. Informative References ....................................12
   Acknowledgments ...................................................13
   Contributors ......................................................13
   Author's Address ..................................................13
        
   1. Introduction ....................................................2
   2. Context of Use Cases ............................................3
   3. Use Cases .......................................................3
      3.1. Cloud Services .............................................3
           3.1.1. Cloud-Based Application Services ....................4
           3.1.2. Cloud-Based Infrastructure Services .................5
      3.2. High-Performance Computing .................................6
      3.3. Grid Infrastructure ........................................6
      3.4. Databases and Directories ..................................7
      3.5. Media Streaming ............................................8
      3.6. Printing ...................................................9
      3.7. Accessing Applications from Devices on a Telecoms
           Infrastructure .............................................9
      3.8. Enhanced Security Services for S/MIME .....................10
      3.9. Smart Objects .............................................11
   4. Security Considerations ........................................11
   5. References .....................................................12
      5.1. Normative References ......................................12
      5.2. Informative References ....................................12
   Acknowledgments ...................................................13
   Contributors ......................................................13
   Author's Address ..................................................13
        
1. Introduction
1. 介绍

Federated identity facilitates the controlled sharing of information about people (a.k.a. "principals"), commonly across organizational boundaries. This avoids redundant registration of principals who operate in and across multiple domains, both reducing the administrative overhead for the organizations involved and improving the usability of systems for the principal. Simultaneously, it can also help address privacy-related concerns, along with the regulatory and statutory requirements of some jurisdictions.

联合身份有助于控制人员信息的共享(也称为“主体”),通常跨越组织边界。这避免了在多个域中或跨多个域操作的主体的冗余注册,既减少了相关组织的管理开销,又提高了主体系统的可用性。同时,它还可以帮助解决与隐私相关的问题,以及一些司法管辖区的监管和法定要求。

The information that is passed between organizations may include authentication state and identity information that can be used for many purposes, including making access management decisions. A number of mechanisms support the transmission of this information for web-based scenarios in particular (e.g., the Security Assertion Markup Language (SAML) [OASIS.saml-profiles-2.0-os]), but there is significant interest in the more general application of federated identity to include non-web use cases. This document enumerates some of these use cases, describing how technologies based on the ABFAB architecture [RFC7831] and specifications could be used.

组织之间传递的信息可能包括身份验证状态和身份信息,这些信息可用于多种目的,包括做出访问管理决策。许多机制特别支持在基于web的场景中传输此信息(例如,安全断言标记语言(SAML)[OASIS.SAML-profiles-2.0-os]),但人们对联邦身份的更一般应用非常感兴趣,以包括非web用例。本文档列举了其中一些用例,描述了如何使用基于ABFAB体系结构[RFC7831]和规范的技术。

2. Context of Use Cases
2. 用例的上下文

The use cases described in this document are a result of work led by Jisc, the operator of the United Kingdom's education and research network, responding to requirements from its community. These use cases have also been augmented by various inputs from the IETF community.

本文件中描述的用例是联合王国教育和研究网络运营商Jisc根据其社区的要求领导的工作的结果。IETF社区的各种输入也增加了这些用例。

The ABFAB architecture and specifications enables authentication and authorization to occur across organizational boundaries. For many applications, principals need not have pre-instantiated accounts that their federated identity maps to before their first visit to that application; the application can perform this process on the fly. In cases where such accounts are required for particular applications, the pre-provisioning process is out of scope; the ABFAB technology assumes that any such requirements have already been fulfilled. Standards-based work of note that would assist with this pre-provisioning of accounts includes the standards and specifications produced by the IETF SCIM working group.

ABFAB体系结构和规范允许跨组织边界进行身份验证和授权。对于许多应用程序,主体不需要在第一次访问该应用程序之前拥有其联邦身份映射到的预实例化帐户;应用程序可以动态执行此过程。在特定应用需要此类账户的情况下,预拨备流程超出范围;ABFAB技术假设已经满足任何此类要求。有助于账户预拨备的基于标准的工作包括IETF SCIM工作组制定的标准和规范。

3. Use Cases
3. 用例

This section describes some of the various potential use cases where technologies based on the ABFAB architecture and specifications could help improve the user experience; each includes a brief description of how current technologies attempt to solve the use cases and how this could be improved upon by ABFAB implementations.

本节描述了一些基于ABFAB体系结构和规范的技术可以帮助改善用户体验的各种潜在用例;每一部分都简要描述了当前技术如何尝试解决用例,以及ABFAB实现如何改进用例。

3.1. Cloud Services
3.1. 云服务

Cloud computing is emerging as a common way of provisioning infrastructure services in an on-demand manner. These services are typically offered as one of three models:

云计算正在成为一种按需提供基础设施服务的常见方式。这些服务通常作为以下三种模式之一提供:

o General infrastructure services such as computing power, networks, storage, and utilities ("Infrastructure as a Service", or IaaS);

o 通用基础设施服务,如计算能力、网络、存储和公用设施(“基础设施即服务”或IaaS);

o Software stacks or platforms such as database servers, web servers, and application runtime environments ("Platform as a Service", or PaaS);

o 软件堆栈或平台,如数据库服务器、web服务器和应用程序运行时环境(“平台即服务”,或PaaS);

o Common application software such as email, shared storage, business applications such as Customer Relationship Management (CRM), or scientific applications ("Software as a Service", or SaaS).

o 常见的应用软件,如电子邮件、共享存储、业务应用程序,如客户关系管理(CRM)或科学应用程序(“软件即服务”或SaaS)。

In many cases, the provisioned cloud infrastructures and applications need to be integrated with existing infrastructure of the organization, and it is of course desirable if this could be achieved in a way that allows business or scientific workflows to act across infrastructure -- both across the cloud and in the local infrastructure -- in as seamless a manner as possible.

在许多情况下,调配的云基础设施和应用程序需要与组织的现有基础设施集成,当然,如果能够以一种允许业务或科学工作流跨基础设施(跨云和本地基础设施)以尽可能无缝的方式进行操作的方式来实现这一点,那将是可取的。

There are two main areas where federated access fits in cloud computing:

联邦访问在云计算中有两个主要领域:

o Using federation to help mediate access to cloud-based application services (e.g., cloud-provided email or CRM systems);

o 使用联合帮助调解对基于云的应用程序服务的访问(例如,云提供的电子邮件或CRM系统);

o Using federation to help mediate access to the management of cloud-based infrastructure services.

o 使用联合帮助调解对基于云的基础设施服务的管理的访问。

3.1.1. Cloud-Based Application Services
3.1.1. 基于云的应用程序服务

Many organizations are seeking to deliver services to their users through the use of providers based in the "cloud". This is typically motivated by a desire to avoid management and operation of commodity services that, through economies of scale and so forth, can often be delivered more efficiently by such providers.

许多组织正在寻求通过使用基于“云”的提供商向其用户提供服务。这通常是出于避免管理和运营商品服务的愿望,通过规模经济等方式,商品服务通常可以由此类供应商更有效地提供。

Many providers already provide web-based access using conventional federated authentication mechanisms -- for example, outsourced email provision where federated access is enabled using "webmail" applications where access is mediated through the use of SAML [OASIS.saml-profiles-2.0-os]. This use of federated authentication enables organizations that consume cloud services to more efficiently orchestrate the delivery of these services to their users and also enables single sign-on to the services for these users.

许多提供商已经使用传统的联合身份验证机制提供了基于web的访问——例如,外包的电子邮件提供,其中使用“webmail”应用程序启用了联合访问,其中通过使用SAML[OASIS.SAML-profiles-2.0-os]介导访问。这种联合身份验证的使用使使用云服务的组织能够更有效地协调向其用户提供这些服务的过程,并为这些用户提供单点登录服务。

Frequently, however, users will prefer to use desktop applications that do not use web (i.e., based on HTTP) protocols. For example, a desktop email client may use a variety of non-web protocols, including SMTP [RFC5321], IMAP [RFC3501], and the Post Office Protocol (POP) [RFC1939]. Some cloud providers support access to their services using non-web protocols; however, the authentication mechanisms used by these protocols will typically require that the provider has access to the user's credentials -- i.e., non-federated. Consequently, the provider will require that users' credentials are regularly synchronized from the user organization to the provider, with the obvious overhead this imparts on the organization along with the obvious implications for security and privacy, or else be provisioned directly by the provider to the user.

然而,用户通常更喜欢使用不使用web(即基于HTTP)协议的桌面应用程序。例如,桌面电子邮件客户端可以使用各种非web协议,包括SMTP[RFC5321]、IMAP[RFC3501]和邮局协议(POP)[RFC1939]。一些云提供商支持使用非web协议访问其服务;但是,这些协议使用的身份验证机制通常要求提供者能够访问用户的凭据,即非联邦凭据。因此,提供商将要求用户的凭据定期从用户组织同步到提供商,这会给组织带来明显的开销以及对安全和隐私的明显影响,或者由提供商直接向用户提供。

The latter approach of directly provisioning accounts may be acceptable in the case where an organization has relationships with only a small number of providers, but this approach may become untenable if an organization obtains services from many providers. Consequently, any organization with a requirement to use non-web protocols would prefer to make use of the credentials that they have already provisioned their users with, and to utilize federated authentication with non-web protocols to obtain access to cloud-based providers.

如果一个组织只与少数提供商建立了关系,则可以接受后一种直接提供帐户的方法,但如果一个组织从许多提供商处获得服务,则这种方法可能无法维持。因此,任何需要使用非web协议的组织都更愿意使用他们已经为其用户提供的凭据,并利用非web协议的联合身份验证来获得对基于云的提供商的访问。

ABFAB could help in this context, as its specifications would enable federated authentication for a variety of non-web protocols, thus gaining the benefits of federated authentication without any of the drawbacks that are currently experienced.

ABFAB可以在这方面有所帮助,因为它的规范将为各种非web协议启用联合身份验证,从而获得联合身份验证的好处,而不存在当前遇到的任何缺点。

3.1.2. Cloud-Based Infrastructure Services
3.1.2. 基于云的基础设施服务

Typical IaaS or PaaS cloud use cases deal with provisioning on-demand cloud-based infrastructure services that may include infrastructure components such as computing and storage resources, network infrastructure, and other utilities. Cloud-based virtualized applications should ideally operate in the same way as regular non-virtualized applications whilst allowing management of the virtual computing resources (scaling, migration, reconfiguration) without changing the management applications.

典型的IaaS或PaaS云用例处理按需提供基于云的基础设施服务,这些服务可能包括基础设施组件,如计算和存储资源、网络基础设施和其他实用程序。理想情况下,基于云的虚拟化应用程序应以与常规非虚拟化应用程序相同的方式运行,同时允许在不更改管理应用程序的情况下管理虚拟计算资源(扩展、迁移、重新配置)。

In many cases, moving applications or platforms to the cloud may require their redesigning/refactoring to support dynamic deployment and configuration, including their security services, and authentication and authorization services. These will typically today be extensively based on manual setup and configuration of such components and features as trusted certificates and trust anchors, authorities and trusted services (both their location and certificates), attribute namespaces, and policies.

在许多情况下,将应用程序或平台移动到云端可能需要重新设计/重构以支持动态部署和配置,包括安全服务、身份验证和授权服务。今天,这些通常广泛地基于组件和功能的手动设置和配置,如可信证书和信任锚、权限和可信服务(它们的位置和证书)、属性名称空间和策略。

ABFAB could help in this context as a way of moving from the model of manually configured authentication and authorization towards a more easily managed system involving federated trust and identity, and ABFAB will be applicable for a wide range of existing features (e.g., connecting to a newly provisioned Virtual Machine through ABFAB-enabled Secure Shell (SSH) [RFC4251] instead of having to manually manage an administrative login to that machine).

ABFAB可以在这种情况下提供帮助,从手动配置的身份验证和授权模式转变为更易于管理的涉及联邦信任和身份的系统,ABFAB将适用于广泛的现有功能(例如,通过启用ABFAB的安全Shell(SSH)[RFC4251]连接到新配置的虚拟机,而不必手动管理该机器的管理登录)。

3.2. High-Performance Computing
3.2. 高性能计算

High-Performance Computing (HPC) is a discipline that uses supercomputers and computer clusters to solve complex computation problems; it is most commonly associated with scientific research or computational science.

高性能计算(HPC)是一门使用超级计算机和计算机集群来解决复杂计算问题的学科;它通常与科学研究或计算科学联系在一起。

Access to HPC resources, often mediated through technologies such as SSH, is typically managed through the use of user digital certificates [RFC5280] or through manually provisioned credentials and accounts. This requires HPC operators to issue certificates or accounts to users using a registration process that often duplicates identity management processes that already exist within most user organizations. The HPC community would like to utilize federated identity to perform both the user registration and authentication functions required to use HPC resources, and so reduce costs by avoiding this duplication of effort.

对HPC资源的访问通常通过SSH等技术进行调解,通常通过使用用户数字证书[RFC5280]或通过手动配置的凭据和帐户进行管理。这要求HPC运营商使用注册流程向用户颁发证书或帐户,注册流程通常与大多数用户组织中已经存在的身份管理流程重复。HPC社区希望利用联合身份来执行使用HPC资源所需的用户注册和身份验证功能,从而通过避免重复工作来降低成本。

The HPC community also have the following additional requirements:

HPC社区还有以下附加要求:

o Improve business continuity: In the event of operational issues at an HPC system at one organization (for example, a power failure), users and jobs could be transparently moved to other HPC systems without the overhead of having to manage user credentials for multiple organizations;

o 提高业务连续性:如果一个组织的HPC系统出现运营问题(例如,停电),用户和作业可以透明地移动到其他HPC系统,而无需管理多个组织的用户凭据;

o Establish "HPC as a service": Many organizations who have invested in HPC systems want to make their systems easily available to external customers. Federated authentication facilitates this by enabling these customers to use their existing identity management, user credentialing, and support processes;

o 建立“HPC即服务”:许多投资HPC系统的组织都希望使其系统能够方便地供外部客户使用。联邦身份验证通过使这些客户能够使用其现有的身份管理、用户认证和支持流程来促进这一点;

o Improve the user experience: Authentication to HPC systems is normally performed using user digital certificates, which some users find difficult to use. Federated authentication can provide a better user experience by allowing the use of other types of credentials, without requiring technical modifications to the HPC system to support these.

o 改善用户体验:HPC系统的身份验证通常使用用户数字证书执行,有些用户发现难以使用。通过允许使用其他类型的凭证,联邦身份验证可以提供更好的用户体验,而无需对HPC系统进行技术修改以支持这些凭证。

ABFAB could help in this context, as it could enable federated authentication for many of the protocols and technologies currently in use by HPC providers, such as SSH.

ABFAB可以在这方面提供帮助,因为它可以为HPC提供商当前使用的许多协议和技术(如SSH)启用联合身份验证。

3.3. Grid Infrastructure
3.3. 网格基础设施

Grids are large-scale distributed infrastructures, consisting of many loosely coupled, independently managed, and geographically distributed resources managed by organizationally independent

网格是大规模分布式基础设施,由许多松散耦合、独立管理和地理分布的资源组成,这些资源由组织独立的

providers. Users of grids utilize these resources using grid middleware that allows them to submit and control computing jobs, manipulate datasets, communicate with other users, etc. These users are organized into Virtual Organizations (VOs); each VO represents a group of people working collaboratively on a common project. VOs facilitate both the management of their users and the meditation of agreements between their users and resource providers.

提供者。网格用户使用网格中间件利用这些资源,网格中间件允许他们提交和控制计算作业、操作数据集、与其他用户通信等。这些用户被组织成虚拟组织(VO);每个VO代表一组在一个公共项目上协同工作的人员。VO促进了对用户的管理以及用户与资源提供商之间的协议。

Authentication and authorization within most grids are performed using a Public Key Infrastructure, requiring each user to have an X.509 public-key certificate [RFC5280]. Authentication is performed through ownership of a particular certificate, while authorization decisions are made based on the user's identity (derived from their X.509 certificate), membership of a particular VO, or additional information assigned to a user by a VO. While efficient and scalable, this approach has been found wanting in terms of usability -- many users find certificates difficult to manage, for various reasons.

大多数网格中的身份验证和授权都使用公钥基础设施执行,要求每个用户都有一个X.509公钥证书[RFC5280]。身份验证是通过特定证书的所有权来执行的,而授权决策是基于用户的身份(来自其X.509证书)、特定VO的成员资格或VO分配给用户的附加信息来做出的。虽然这种方法效率高、可扩展,但在可用性方面却存在不足——许多用户发现证书难以管理,原因多种多样。

One approach to ameliorating this issue, adopted to some extent by some grid communities already, is to abstract away direct access to certificates from users, instead using alternative authentication mechanisms and then converting the credential provided by these into standard grid certificates. Some implementations of this idea use existing federated authentication techniques. However, current implementations of this approach suffer from a number of problems, not the least of which is the inability to use the federated credentials used to authenticate to a credential-conversion portal to also directly authenticate to non-web resources such as SSH daemons.

一些网格社区已经在某种程度上采用了一种改进此问题的方法,即从用户那里抽象出对证书的直接访问,而不是使用替代身份验证机制,然后将这些机制提供的凭证转换为标准网格证书。这种想法的一些实现使用现有的联邦身份验证技术。但是,此方法的当前实现存在许多问题,其中最重要的问题是无法使用用于对凭据转换门户进行身份验证的联合凭据,也无法直接对SSH守护进程等非web资源进行身份验证。

The ability to use federated authentication directly through ABFAB, without the use of a credential-conversion service, would allow users to authenticate to a grid and its associated services, allowing them to directly launch and control computing jobs, all without having to manage, or even see, an X.509 public-key certificate at any point in the process. Authorization within the grid would still be performed using VO membership as asserted by the user's Identity Provider (IdP) through the federated transport.

通过ABFAB直接使用联邦身份验证的能力,而不使用凭证转换服务,将允许用户对网格及其相关服务进行身份验证,允许他们直接启动和控制计算作业,而无需管理甚至查看,进程中任何一点的X.509公钥证书。网格内的授权仍将使用用户的身份提供者(IdP)通过联邦传输断言的VO成员身份来执行。

3.4. Databases and Directories
3.4. 数据库和目录

Databases (e.g., MySQL, PostgreSQL, Oracle) and directory technologies (e.g., OpenLDAP (http://www.openldap.org/), Microsoft Active Directory, Novell eDirectory) are very commonly used within many organizations for a variety of purposes. Such purposes can include core administrative functions, such as hosting identity information for its users, as well as business functions (e.g., student records systems at educational organizations).

数据库(如MySQL、PostgreSQL、Oracle)和目录技术(如OpenLDAP(http://www.openldap.org/),Microsoft Active Directory,Novell eDirectory)在许多组织中用于各种目的。这些目的可以包括核心管理功能,例如为其用户托管身份信息,以及业务功能(例如,教育组织的学生记录系统)。

Access to such database and directory systems is usually provided for internal users only; however, users external to the organizations sometimes require access to these systems directly -- for example, external examiners in educational organizations requiring access to student records systems, members of cross-organizational project teams who store information in a particular organization's systems, and external auditors.

通常仅为内部用户提供访问此类数据库和目录系统的权限;然而,组织外部的用户有时需要直接访问这些系统——例如,教育组织中需要访问学生记录系统的外部考官、在特定组织系统中存储信息的跨组织项目团队成员以及外部审计员。

Credentials for users either internal or external to the organization that allow access to these databases and directories are usually provisioned manually within an organization, either using identity management technologies or through more manual processes. For the internal users, this situation is fine -- this is one of the mainstays of identity management. However, for external users who require access, this represents more of a problem for organizational processes. The organization has to either (1) add these external users to its internal identity management systems or (2) provision these credentials directly within the database/directory systems and continue to manage them, including appropriate access controls associated with each credential, for the lifetime of that credential.

允许访问这些数据库和目录的组织内部或外部用户的凭据通常在组织内使用身份管理技术或通过更多手动过程手动设置。对于内部用户来说,这种情况很好——这是身份管理的支柱之一。但是,对于需要访问权限的外部用户来说,这更像是组织流程的问题。组织必须(1)将这些外部用户添加到其内部身份管理系统,或(2)直接在数据库/目录系统中提供这些凭据,并在该凭据的生命周期内继续管理这些凭据,包括与每个凭据关联的适当访问控制。

Federated authentication to databases or directories, via ABFAB technologies, would improve upon this situation, as it would remove the need to provision and de-provision credentials to access these systems. Organizations may still wish to manually manage access control of federated identities; however, even this could be provided through federated means, if the trust relationship between organizations was strong enough for the organization providing the service to rely upon it for this purpose.

通过ABFAB技术对数据库或目录进行的联合身份验证将改善这种情况,因为它将消除访问这些系统时提供和取消提供凭据的需要。组织可能仍然希望手动管理联合身份的访问控制;但是,如果组织之间的信任关系足够强,提供服务的组织可以依赖它来实现这一目的,那么即使是通过联合方式也可以提供。

3.5. Media Streaming
3.5. 流媒体

Media streaming services (audio or audio/video) are often provided publicly to anonymous users, but authentication is important for a protected subset of streams where rights management and access control must be applied.

媒体流服务(音频或音频/视频)通常公开提供给匿名用户,但对于必须应用权限管理和访问控制的受保护流子集,身份验证非常重要。

Streams can be delivered via protocols that already include authentication, such as the Real Time Streaming Protocol (RTSP) [RFC2326] or RTP [RFC3550], or can be published in an encrypted form with keys only being distributed to trusted users. Federated authentication is applicable to both of these cases.

流可以通过已经包括身份验证的协议(例如实时流协议(RTSP)[RFC2326]或RTP[RFC3550])交付,或者可以以加密形式发布,密钥仅分发给受信任的用户。联合身份验证适用于这两种情况。

Alternative mechanisms to managing access exist -- for example, an approach where a unique stream URI is minted for each user. However, this relies on preserving the secrecy of the stream URI and also requires a communication channel between the web page used for authentication and the streaming service itself. Federated

存在管理访问的替代机制——例如,一种为每个用户创建唯一流URI的方法。然而,这依赖于保护流URI的机密性,并且还需要用于身份验证的网页和流服务本身之间的通信通道。联邦的

authentication would be a better fit for this kind of access control. Thus, ABFAB technologies that allow federated authentication directly within (inherently non-web) media streaming protocols would represent an enhancement to this area.

身份验证更适合这种访问控制。因此,允许直接在(固有的非web)媒体流协议中进行联合身份验证的ABFAB技术将代表这一领域的增强。

3.6. Printing
3.6. 印刷

A visitor from one organization to the premises of another often requires the use of print services. Their home organization may of course offer printing, but the output could be a long way away, so the home service is not useful. The user will typically want to print from within a desktop or mobile application.

从一个组织到另一个组织的访客通常需要使用打印服务。他们的家庭组织当然可以提供印刷,但输出可能需要很长的时间,因此家庭服务没有用处。用户通常希望从桌面或移动应用程序中打印。

Where this service is currently offered, it would usually be achieved through the use of "open" printers (i.e., printers that allow anonymous print requests), where printer availability is advertised through the use of Bonjour or other similar protocols. If the organization requires authenticated print requests (usually for accounting purposes), the visitor would usually have to be given credentials that allow this, often supplemented with pay-as-you-go style payment systems.

目前提供这项服务的地方,通常通过使用“开放式”打印机(即允许匿名打印请求的打印机)来实现,通过使用Bonjour或其他类似协议来宣传打印机的可用性。如果组织需要经过身份验证的打印请求(通常用于记帐目的),则通常必须向访问者提供允许此操作的凭据,并通常辅以按量付费的支付系统。

Adding federated authentication to the Internet Printing Protocol (IPP) [RFC2911] (and other relevant protocols) would enable this kind of remote printing service without the administrative overhead of credentialing these visitors (who, of course, may well be one-time visitors to the organization). This would be immediately applicable to higher education, where this use case is increasingly important thanks to the success of federated network authentication systems such as eduroam (https://www.eduroam.org), but could also be used in other contexts such as commercial print kiosks, or in large heterogeneous organizations.

向Internet打印协议(IPP)[RFC2911](和其他相关协议)添加联合身份验证将启用这种远程打印服务,而无需对这些访问者(当然,他们可能是组织的一次性访问者)进行认证的管理开销。这将立即适用于高等教育,由于eduroam等联邦网络认证系统的成功,该用例变得越来越重要(https://www.eduroam.org),但也可用于其他环境,如商业印刷亭,或大型异构组织。

3.7. Accessing Applications from Devices on a Telecoms Infrastructure
3.7. 从电信基础设施上的设备访问应用程序

Telecom operators typically have the following properties:

电信运营商通常具有以下属性:

o A large collection of registered users, many of whom may have identities registered to a fairly high level of assurance (often for payment purposes). However, not all users will have this property -- for example, non-contract customers on mobile telecoms infrastructures in countries with low levels of identity registration requirements.

o 注册用户的大量集合,其中许多人的身份可能已注册到相当高的保证级别(通常用于支付目的)。然而,并非所有用户都拥有这一财产——例如,在身份注册要求较低的国家,移动通信基础设施上的非合同客户。

o An existing network infrastructure capable of authenticating a device (e.g., a cellphone or an Asymmetric Digital Subscriber Line (ADSL) router) and, by inference, its owner.

o 一种现有的网络基础设施,能够验证设备(例如,手机或非对称数字用户线(ADSL)路由器)及其所有者。

o A large collection of applications (both web-based and non-web-based) that its users wish to access using their devices. These applications could be hosted by the telecom operator directly, or they could be any application or system on the internet -- for example, network messaging services, VoIP, or email.

o 用户希望使用其设备访问的大量应用程序(基于web的和非基于web的)。这些应用程序可以由电信运营商直接托管,也可以是互联网上的任何应用程序或系统——例如,网络消息服务、VoIP或电子邮件。

At present, authentication to these applications will be typically configured manually by the user on the device (or on a different device connected to that device) by inputting their (usually pre-provisioned out of band) credentials for that application -- one per application.

目前,这些应用程序的身份验证通常由用户在设备上(或在连接到该设备的不同设备上)手动配置,方法是为该应用程序输入其(通常是预先设置的带外)凭据——每个应用程序一个。

The use of ABFAB technologies in this case, via a mechanism dubbed "federated cross-layer access" (see [FCLA]) would greatly enhance the user experience of using these applications through devices. Federated cross-layer access would make use of the initial mutual authentication between device and network, to allow subsequent authentication and authorization to happen in a seamless manner for the user of that device authenticating to applications.

在这种情况下,通过一种称为“联邦跨层访问”(见[FCLA])的机制使用ABFAB技术将极大地提高用户通过设备使用这些应用程序的体验。联合跨层访问将利用设备和网络之间的初始相互身份验证,以允许该设备的用户以无缝方式对应用程序进行身份验证和授权。

3.8. Enhanced Security Services for S/MIME
3.8. 增强的S/MIME安全服务

There are many situations where organizations want to protect information with robust access control, either for implementation of intellectual property right protections, for enforcement of contractual confidentiality agreements, or because of legal regulations. The Enhanced Security Services (ESS) for S/MIME defines an access control mechanism that is enforced by the recipient's client after decryption of the message (see [MSG-AC-REQ]). The data model used makes use of Policy Decision Points (PDPs), which make the policy decisions; Policy Enforcement Points (PEPs), which make decision requests to the PDP; and Policy Information Points (PIPs), which issue attributes about subjects. The decisions themselves are based on the policies and on the subject attributes.

在许多情况下,组织希望通过强大的访问控制来保护信息,无论是为了实施知识产权保护,还是为了执行合同保密协议,或者是因为法律法规。S/MIME的增强安全服务(ESS)定义了一种访问控制机制,该机制在消息解密后由收件人的客户端强制执行(请参见[MSG-AC-REQ])。所使用的数据模型利用决策点(PDP)进行决策;向PDP提出决策请求的政策执行点(PEP);和政策信息点(PIP),它们发布关于主题的属性。决策本身基于政策和主题属性。

The use of ABFAB technologies in this case would enable both the front-end and back-end attribute exchange required to provide subject attributes. When the PEP contacts the PDP, it would initiate an ABFAB authentication in order to authenticate to the PDP and allow it to obtain these required subject attributes. Once authenticated, the PDP would return a token to the subject PEP that could then be used for subsequent authentications to the PDP.

在这种情况下,使用ABFAB技术可以实现提供主题属性所需的前端和后端属性交换。当PEP联系PDP时,它将启动ABFAB身份验证,以便向PDP进行身份验证,并允许其获得这些所需的主题属性。一旦认证,PDP将向主题PEP返回令牌,该令牌随后可用于对PDP的后续认证。

3.9. Smart Objects
3.9. 智能对象

Many smart device deployments involve multiple organizations that do not directly share security infrastructure. For example, in smart power deployments, devices (e.g., appliances) and infrastructure (e.g., electric car chargers) will wish to connect to an energy management system. The energy management system is provided by a utility company in some deployments. The utility company may wish to grant access only to authorized devices; for example, a consortium of utility companies and device manufacturers may certify devices to connect to power networks.

许多智能设备部署涉及不直接共享安全基础架构的多个组织。例如,在智能电源部署中,设备(如电器)和基础设施(如电动汽车充电器)将希望连接到能源管理系统。在某些部署中,能源管理系统由公用事业公司提供。公用事业公司可能希望仅允许访问授权设备;例如,由公用事业公司和设备制造商组成的联合体可以认证连接到电网的设备。

In another example, consumer devices may be used to access cloud services. For example, a camera could be bound to a photo processing site. Authentication and authorization for uploading pictures or ordering prints are required. Sensors could be used to provide data to services run by organizations other than the sensor manufacturer. Authorization and authentication can become very tricky when sensors have no user interface. Cellular devices may want to access services provided by a third party, regardless of whether the cellular network or Wi-Fi is used. This becomes difficult when authorization and billing are coordinated by the cellular provider.

在另一个示例中,消费者设备可用于访问云服务。例如,相机可以绑定到照片处理站点。上传图片或订购印刷品需要认证和授权。传感器可用于向传感器制造商以外的组织运行的服务提供数据。当传感器没有用户界面时,授权和认证会变得非常棘手。蜂窝设备可能希望访问第三方提供的服务,无论使用的是蜂窝网络还是Wi-Fi。当授权和计费由蜂窝网络提供商协调时,这变得很困难。

The use of ABFAB technologies in this case would provide authentication between one entity, such as a smart device, and its IdP. Only two parties are involved in this exchange; this means that the smart device need not participate in any complicated public-key infrastructure even if it is authenticating against many cloud services. Instead, the device can delegate the process of authenticating the service, and even deciding whether the device should be permitted to access the service, to the IdP. This has several advantages. A wide variety of revenue-sharing models are enabled. Because device authentication is only with a single IdP, phishing of device credentials can be avoided. Authorization and decisions about what personal information to release are made by the IdP. The device owner can use a rich interface such as a website to configure authorization and privacy policy even if the device has no user interface. This model works well with pre-provisioning of device credentials.

在这种情况下,ABFAB技术的使用将在一个实体(如智能设备)与其IdP之间提供身份验证。本次交易仅涉及两方;这意味着智能设备不需要参与任何复杂的公钥基础设施,即使它正在针对许多云服务进行身份验证。相反,设备可以将认证服务的过程,甚至决定是否应该允许设备访问服务的过程委托给IdP。这有几个优点。启用了多种收入共享模式。由于设备身份验证仅使用单个IdP,因此可以避免设备凭据的网络钓鱼。IdP负责授权和决定发布哪些个人信息。即使设备没有用户界面,设备所有者也可以使用丰富的界面(如网站)来配置授权和隐私策略。此模型适用于设备凭据的预设置。

4. Security Considerations
4. 安全考虑

This document contains only use cases and defines no protocol operations for ABFAB. Security considerations for the ABFAB architecture are documented in [RFC7831], and security considerations for ABFAB technologies and protocols that are discussed in these use cases are documented in the corresponding protocol specifications.

本文档仅包含用例,未定义ABFAB的协议操作。ABFAB体系结构的安全注意事项记录在[RFC7831]中,在这些用例中讨论的ABFAB技术和协议的安全注意事项记录在相应的协议规范中。

5. References
5. 工具书类
5.1. Normative References
5.1. 规范性引用文件

[RFC7831] Howlett, J., Hartman, S., Tschofenig, H., and J. Schaad, "Application Bridging for Federated Access Beyond Web (ABFAB) Architecture", RFC 7831, DOI 10.17487/RFC7831, May 2016, <http://www.rfc-editor.org/info/rfc7831>.

[RFC7831]Howlett,J.,Hartman,S.,Tschofenig,H.,和J.Schaad,“Web之外联邦访问(ABFAB)架构的应用程序桥接”,RFC 7831,DOI 10.17487/RFC7831,2016年5月<http://www.rfc-editor.org/info/rfc7831>.

5.2. Informative References
5.2. 资料性引用

[FCLA] Wei, Y., Ed., "Federated Cross-Layer Access", Work in Progress, draft-wei-abfab-fcla-02, March 2012.

[FCLA]Wei,Y.,Ed.,“联邦跨层访问”,正在进行的工作,草稿-Wei-abfab-FCLA-022012年3月。

[MSG-AC-REQ] Freeman, T., Schaad, J., and P. Patterson, "Requirements for Message Access Control", Work in Progress, draft-freeman-plasma-requirements-11, March 2015.

[MSG-AC-REQ]Freeman,T.,Schaad,J.,和P.Patterson,“信息访问控制要求”,正在进行的工作,草稿-Freeman-plasma-Requirements-112015年3月。

[OASIS.saml-profiles-2.0-os] Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and E. Maler, "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard OASIS.saml-profiles-2.0-os, March 2005, <http://docs.oasis-open.org/security/saml/v2.0/ saml-profiles-2.0-os.pdf>.

[OASIS.saml-profiles-2.0-os]休斯,J.,坎托,S.,霍奇斯,J.,赫希,F.,米什拉,P.,菲尔波特,R.,和E.马勒,“OASIS安全断言标记语言(saml)V2.0的配置文件”,OASIS标准OASIS.saml-profiles-2.0-os,2005年3月<http://docs.oasis-open.org/security/saml/v2.0/ saml-profiles-2.0-os.pdf>。

[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, <http://www.rfc-editor.org/info/rfc1939>.

[RFC1939]迈尔斯,J.和M.罗斯,“邮局协议-第3版”,STD 53,RFC 1939,DOI 10.17487/RFC1939,1996年5月<http://www.rfc-editor.org/info/rfc1939>.

[RFC2326] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming Protocol (RTSP)", RFC 2326, DOI 10.17487/RFC2326, April 1998, <http://www.rfc-editor.org/info/rfc2326>.

[RFC2326]Schulzrinne,H.,Rao,A.,和R.Lanphier,“实时流协议(RTSP)”,RFC 2326,DOI 10.17487/RFC2326,1998年4月<http://www.rfc-editor.org/info/rfc2326>.

[RFC2911] Hastings, T., Ed., Herriot, R., deBry, R., Isaacson, S., and P. Powell, "Internet Printing Protocol/1.1: Model and Semantics", RFC 2911, DOI 10.17487/RFC2911, September 2000, <http://www.rfc-editor.org/info/rfc2911>.

[RFC2911]黑斯廷斯,T.,Ed.,Herriot,R.,deBry,R.,Isaacson,S.,和P.Powell,“互联网打印协议/1.1:模型和语义”,RFC 2911DOI 10.17487/RFC2911,2000年9月<http://www.rfc-editor.org/info/rfc2911>.

[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, <http://www.rfc-editor.org/info/rfc3501>.

[RFC3501]Crispin,M.,“互联网消息访问协议-版本4rev1”,RFC 3501,DOI 10.17487/RFC3501,2003年3月<http://www.rfc-editor.org/info/rfc3501>.

[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, <http://www.rfc-editor.org/info/rfc3550>.

[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 3550,DOI 10.17487/RFC3550,2003年7月<http://www.rfc-editor.org/info/rfc3550>.

[RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, January 2006, <http://www.rfc-editor.org/info/rfc4251>.

[RFC4251]Ylonen,T.和C.Lonvick,编辑,“安全外壳(SSH)协议架构”,RFC 4251,DOI 10.17487/RFC4251,2006年1月<http://www.rfc-editor.org/info/rfc4251>.

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<http://www.rfc-editor.org/info/rfc5280>.

[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, DOI 10.17487/RFC5321, October 2008, <http://www.rfc-editor.org/info/rfc5321>.

[RFC5321]Klensin,J.,“简单邮件传输协议”,RFC 5321DOI 10.17487/RFC5321,2008年10月<http://www.rfc-editor.org/info/rfc5321>.

Acknowledgments

致谢

These use cases have been developed and documented using significant input from Jens Jensen (STFC Rutherford Appleton Laboratory), Daniel Kouril (CESNET), Michal Prochazka (CESNET), Ian Stewart (University of Edinburgh), Stephen Booth (Edinburgh Parallel Computing Centre), Eefje van der Harst (SURFnet), Joost van Dijk (SURFnet), Robin Breathe (Oxford Brookes University), Yinxing Wei (ZTE Corporation), Trevor Freeman (Microsoft Corporation), Sam Hartman (Painless Security, LLC), and Yuri Demchenko (University of Amsterdam).

使用Jens Jensen(STFC Rutherford Appleton实验室)、Daniel Kouril(CESNET)、Michal Prochazka(CESNET)、Ian Stewart(爱丁堡大学)、Stephen Booth(爱丁堡并行计算中心)、Eefje van der Harst(SURFnet)、Joost van Dijk(SURFnet)、Robin Breathe的重要输入开发并记录了这些用例(牛津布鲁克斯大学)、魏银兴(中兴通讯公司)、特雷弗·弗里曼(微软公司)、萨姆·哈特曼(无痛安全有限责任公司)和尤里·德姆琴科(阿姆斯特丹大学)。

Contributors

贡献者

The following individuals made important contributions to the text of this document: Tim Bannister (Manchester University), Simon Cooper (Jisc), Josh Howlett (Jisc), and Mark Tysom (Jisc).

以下个人对本文件的文本做出了重要贡献:Tim Bannister(曼彻斯特大学)、Simon Cooper(Jisc)、Josh Howlett(Jisc)和Mark Tysom(Jisc)。

Author's Address

作者地址

Dr. Rhys Smith (editor) Jisc Lumen House, Library Avenue, Harwell Oxford OX11 0SG United Kingdom

Rhys Smith博士(编辑)Jisc Lumen House,图书馆大道,牛津哈维尔OX11 0SG英国

   Phone: +44 1235 822145
   Email: rhys.smith@jisc.ac.uk
        
   Phone: +44 1235 822145
   Email: rhys.smith@jisc.ac.uk