Infrastructural Network Services
SPOCP - Project Assignment
 

Document Status: Approved by the Steering Committee 2002-08-26

The assignment is to develop/provide software for network based infrastructural services (middleware) for PKI-based authentication and authorisation.

The authentication and authorisation shall be implemented as two separate services. The authentication service (AS) shall offer authentication through both user name/passwords and x509-certificates.

The authorisation service (Simple POlicy Control Protocol - SPOCP) shall offer policy controlled authorisation advice to its clients, using information provided by

• the user/client: authentication strength and an assumed role; and
• directories or other information services: user and resource attributes such as roles and identity.

The project is a cooperative effort between 5 swedish universities (Karolinska Institutet, Lunds Universitet, Stockholms Universitet, Umeå Universitet, and Uppsala Universitet) and Uninett, the norwegian research network. The project is financed by its partners and by Sunet, the swedish research network, and VHS, Verket för Högskoleservice through NyA, the project developing the new swedish system for admittance to higher education.

The development shall be done in construction packages. The Steering Committee, which has a member from each partner, decides the detailed scope of the project. It shall be done by specifying a minimal construction package and optional construction packages and by assigning priorities to the optional construction packages. A first version of the software shall be released 12 months after the start of the project.

It is included in the assignment to suggest a model for maintenance of the software.

The scope does not include the design of the information services providing the policy server with information about resources and persons. The task of developing such services is not trivial and must not be underestimated.

Most universities that have an enterprise directory with students and personnel, can communicate with the directory using LDAP. An LDAP adapter shall be provided in the minimal package. Some universities might use database connections to their personnel and student information services - no such adapters need to be included in the minimal construction package.