Datasheet

Chapter 1  Internet Era: E-Commerce 37

store and manage the credentials for a variety of systems and users who can

access them according to their needs. This mandates speciﬁc requirements

for the credential governance systems. For typical distributed management

credential governance systems, mechanisms should be provided to obtain the

initial credentials. This is called the initiation requirement. Similarly, secure and

safe storage of credentials is equally important. Additionally, the credential

governance systems should be able to access and renew the credentials based

on the demand of the users. A few other important requirements are translation,

delegation, and control of the credentials. Considering the preceding requirements,

credential governance systems are mainly of two types: credential repositories or

credential storage systems, and credential federation systems or credential share

systems. The ﬁrst set of systems is responsible for storing credentials while

the second set of systems is responsible for sharing credentials across multiple

systems or domains.

Repositories

The basic purpose of credential repositories is to move the responsibilities

of credential storage from the user to these systems. Examples of credential

repositories include smart cards, virtual smart cards, and MyProxy Online

Credential Repositories (http://grid.ncsa.illinois.edu/myproxy). Smart

cards are credit card–sized tokens that contain a user’s secret key material.

Virtual smart cards embed the features of smart cards in the software. MyProxy

is a popular implementation of credential repositories speciﬁcally for Grid and

cloud computing systems.

Federation

Credential Federation systems, protocols, and standards are used for managing

credentials across multiple systems, domains, and realms. Examples in this

space include VCMan, which is Grid-speciﬁc, and Community Authorization

Service (CAS), which offers interoperability across multiple domains. KX.509 is

a protocol that provides interoperability between X.509 and Kerberos systems. A

standard called the Liberty Framework was developed by the Liberty Alliance

(www.projectliberty.org/), which was a consortium of about 150 companies

for creating and managing federated identities. This project has now moved to the

Kantara Initiative (http://kantarainitiative.org/). Another popular open source

solution in this space is Shibboleth (http://shibboleth.internet2.edu/).

Trust Governance

Governing the trust is one of the most sensitive aspects of cloud computing

infrastructure. Trust is a multifaceted entity that depends on a host of differ-

ent ingredients, such as the reputation of an entity, its policies, and opinions

about that entity. Governing trust is crucial in a dynamic infrastructure where

hosts and users constantly join and leave the system. Therefore, there must be

624463c01.indd 37 3/29/11 2:26:37 AM