Outline

International Grid Trust Federation

towards worldwide interoperability in identity

management

UK Presidency 2005 e-IRG Meeting

David L. Groep, IGTF and EUGridPMA Chair, 2005-12-13

e-Infrastructure Reflection Group – Dec 2005 - 2

David Groep – [email protected]

Outline

Grid Security Authentication vs. Authorisation Grid Identity Management

Authentication Federation EUGridPMA International Grid Trust Federation Guidelines and Requirements

Roadmap for an integrated AAI



Essentials on Grid Security

Control access to shared services Support multi-user collaborations

Composed of individuals acting alone – their home organisation administration may not know about their activities

Allow users/application communities to establish relations Both personal and community-based aggregation of

resources, based on personal or community-mediated trust

Enable single sign-on Security must be hidden from the user as far as

possible

Resource owner must always stay in control



Virtual vs. Organic structure

Organization A Organization B

Compute Server C1Compute Server C2

Compute Server C3

File server F1 (disks A and B)

Person C(Student)

Person A(Faculty)

Person B(Staff) Person D

(Staff)Person F(Faculty)

Person E(Faculty)

Virtual Community C

Person A(Principal Investigator)

Compute Server C1'

Person B(Administrator)

File server F1 (disk A)

Person E(Researcher)

Person D(Researcher)

Graphic from Frank Siebenlist, ANL & Globus AllianceGGF OGSA Working Group

Virtual communities (Virtual Organisation) are many A single person will typically be in many communities

Users want single signon across all these communities



Stakeholders in Grid Security

Grid Security is user centric

Conceptually, all members of a VO are equal Users can provide their own services Provider organisations may or may not have human

members (or they actually only sell resources to a VO)

There is no a priori trust relationship between members VO lifetime can vary from hours to decades People and resources are members of multiple VOs VOs not necessarily persistent (both long- and short-lived)

… but a relationship is required as a basis for authorising access for traceability and liability, incident handling, and

accounting



VO embedding today

as part of a Grid ‘ecosystem’where ecosystem takes care of end-to-end solution ‘Infrastructure’ (a collective of Resource Centres)

a single project-centric VOuser groups join up together and participate in a single project with implicit sharing agreement between users and

centres sharing across all user communities in the project still typical for transient, ad-hoc research collaborations

any single user may (and will) participate in both types



Relying parties in Grid Security

In Europe Enabling Grid for E-sciencE (EGEE) (222 sites) Distributed European Infrastructure for Supercomputer

Applications (DEISA) (~11 sites) South East European Grid (SEE-GRID) (10 countries) many national projects (VL-e, UK e-Science, Grid.IT, IRISgrid,

…)

In the Americas EELA: E-infrastructure Europe and Latin America (24 partners) WestGrid (6 sites), GridCanada, … Open Science Grid (OSG) (54 sites) TeraGrid (9 sites) and also many others …

In the Asia-Pacific AP Grid (~10 countries and regions participating) Pacific Rim Applications and Grid Middleware Assembly (~15

sites) …

~400data as per December 8th, 2005



Separating Authentication and Authorization

Single Authentication token (“passport”) issued by a party trusted by all, recognised by many resource providers, users, and VOs satisfies traceability requirement in itself does not grant any access, but provides

a unique binding between an identifier and the subject*

Per-VO Authorisations (“visa”) granted to a person/service or a set of them (a VO) granted by the resource owner based on the ‘passport’ name

providers can obtain lists of authorised users per VO,but can still ban individual users



Grid Authorization today

Leverages authentication provided by a PKI (the ‘passport’) Identity management decoupled from access control Creation of short-lived ‘tokens’ (‘proxy’ certificates)

for single sign-on based on these identities

But: Variety of mechanisms

Per-resource list of authorized users Directories of authorized users Embedded assertions

Variety of sources of authority Semantics to describe roles and rights differs No common namespace

Integration with other AA mechanisms still in progress…

Authentication



PKI in academia and industry and …

Various commercial providers Main commercial drive: secure web servers based on PKI Entrust, Global Sign, Thawte, Verisign, SwissSign, … primary market is server authentication, no end-user

identities

usually expensive but don’t actually subsume liability … are implicitly trusted by many,

since web browsers pre-install the roots of trust use of commercial CAs solves the ‘pop-up’ problem

... so for (web) servers a pop-up free service is still needed Academic PKI

generally a task of the NREN or national e-science project got better attention only after the advance of grid

computing National PKI

in generally uptake of 1999/93/EC is slow where available, a national PKI can be leveraged



The Federated PKI for Grid Authentication

A Federation of many independent CAs common minimum requirements trust domain as required by users and relying parties well-defined and peer-reviewed acceptance process

No strict hierarchy with a single top spread of reliability, and limitation of failure (resilience) maximum leverage of national efforts and

complementarities

CA 1CA 2

CA 3

CA ncharter

guidelines

acceptanceprocess

relying party 1

relying party n



Relying Party issues to be addressed

Common Relying Party requests on the Authorities

1. standard accreditation profiles sufficient to assure approximate parity in CAs

2. monitor [] signing namespaces for name overlaps

3. a forum [to] participate and raise issues

4. [operation of] a secure collection point for information about CAs which you accredit

5. common practices where possible

[list courtesy of the Open Science Grid]



Building the federation

PKI providers (‘CAs’) and Relying Parties (‘sites’) together shape the common requirements Several profiles for different identity management

models Authorities testify to compliance with profile guidelines Peer-review process within the federation

to (re) evaluate members on entry & periodically

Reduce effort on the relying parties single document to review and assess for all CAs

Reduce cost on the CAs no audit statement needed by certified accountants but participation in the federation comes with a price

Requires that the federation remains manageable in size

Ultimate decision always remains with the RP



EUGridPMA founded April 2004 as a successor to the CACG

The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is a body

• to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources.

As its main activity the EUGridPMA

• coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware.

The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.

The EUGridPMA “constitution”



EUGridPMA Membership

EUGridPMA membership for (classic) CAs a single Authority

per country, large region (e.g. the Nordic Countries), or international treaty organization.

‘the goal is to serve the largest possible community with a small number of stable CAs’

operated as a long-term commitment

Many CAs are operated by the (national) NREN(CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … )

or by the e-Science programme/science foundation(UK eScience, VL-e, CNRS, … )



Coverage of the EUGridPMA

Green: Countries with an accredited CA The EU member states (except LU, MT) + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-

all”

Other Accredited CAs: DoEGrids (.us) GridCanada (.ca) CERN ASGCC (.tw)* IHEP (.cn)** Migrated to APGridPMA per Oct 5th, 2005



The Catch-All CAs

Project-centric “catch all” Authorities

For those left out of the rain in EGEE CNRS “catch-all” (Sophie Nicoud) coverage for all EGEE partners

For the South-East European Region regional catch-all CA

For LCG world-wide DoeGrids CA (Tony Genovese & Mike Helm, ESnet) Registration Authorities through Ian Neilson



EUGridPMA Relying Party Members

All EU 6th framework e-Infrastructure projects DEISA EGEE SEE-GRID

The LHC Computing Grid Project (“LCG”) The Open Science Grid Project (US) TERENA

National projects represented via their national CA: e-Science programme UK Virtual Lab e-Science, the Netherlands …



TACAR

Authoritative source for validation of trust anchors independent administration improves resilience TACAR certificate itself published in paper/journals Many trust anchors collected, not only for grid use



Growth of the CACG and EUGridPMA

0

10

20

30

40

Mar

-01

Sep-0

1

Mar

-02

Sep-0

2

Mar

-03

Sep-0

3

Mar

-04

Sep-0

4

Mar

-05

Sep-0

5

acc

red

ited

CA

s

His

tory



March 2003: The Tokyo Accord

… meet at GGF conferences. … … work on … Grid Policy Management Authority:

GRIDPMA.org develop Minimum requirements – based on EDG work develop a Grid Policy Management Authority Charter [with] representatives from major Grid PMAs:

European Data Grid and Cross Grid PMA: 16 countries, 19 organizations

NCSA Alliance Grid Canada DOEGrids PMA NASA Information Power Grid TERENA Asian Pacific PMA:

AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, China

His

tory



Extending Trust:IGTF – the International Grid Trust Federation

TAGPMA APGridPMA

common, global best practices for trust establishment better manageability and response of the PMAs

The America’s Grid PMA

Asia-Pacific Grid PMA

European Grid PMA



APGridPMA

13 members from the Asia-Pacific Region,

Launched June 1st, 2004, chaired by Yoshio Tanaka

First face-to-face meeting on Nov 29th, 2005 Today 6 ‘production-quality’ authorities in

operation

•AIST (.jp)•APAC (.au)•BMG (.sg)•CMSD (.in)•HKU CS SRG (.hk)•KISTI (.kr)•NCHC (.tw)

•NPACI (.us)•Osaka U. (.jp)•SDG (.cn)•USM (.my)•IHEP Beijing (.cn)•ASGCC (.tw)



TAGPMA

To cover all of the Americas 8 members to date

Launched June 28th, 2005chaired by Darcy Quesnel, CANARIE

• Canarie (.ca)• OSG (.us)• TERAGRID (.us)• Texas H.E. Grid (.us)• DOEGrids (.us)

• SDSC (.us)• FNAL (.us)• Dartmouth (.us)

• Brazil (pending)



IGTF Federation Structure

EUGridPMA• CA E1

• CA E2

• …

APGridPMA• CA A1

• …

TAGPMA• CA T1

• …

IGTF Federation Document

Common Authentication Profiles

Classic(EUGridPMA)

SLCS(TAGPMA)

trustrelations

SubjectNamespaceAssignment

DistributionNaming

Conventions



Common Guidelines for all of the IGTF Federation Document• Namespace assignments• Distribution layout

Classic X.509 CAs with secured infrastructure

Short-lived Credential Services

‘experimental’ CAs

…

Collective requirements(technology agnostic)

Technology specificguidelines

Management assigned to specific PMAs



Guidelines: common elements

Coordinated namespace Subject names refer to a unique entity (person, host) Basis for authorization decisions

Common Naming Common structure for trust anchor distribution in the

federation Trusted, redundant, download sources

Harmonized ‘concerns’ and ‘incident’ handling Guaranteed point of contact Forum to raise issues and concerns

Requirement for documentation of processes Detailed policy and practice statement Open to auditing by federation peers



Guidelines: secured X.509 CAs

Identity vetting procedures Based on (national) photo ID’s Face-to-face verification of applicants

via a network of Registration Authorities Periodic renewal (once every year) Record retention at least 3 years

Secure operation off-line signing key or special (FIPS-140.3 or better)

hardware

Response to incidents Timely revocation of compromised certificates



Guidelines: short-lived credential service

Issue short-lived credentials (for grid: proxies) based on another site-local authentication system e.g. Kerberos CA based on existing administration

Same common guidelines apply documented policies and processes a reliable identity vetting mechanism accreditation of the credential issuer with a PMA identity vetting data retention

Same X.509 format, but no user-held secrets



Relationships: IGTF, PMAs, TACAR and GGF



Five years of growth

December 2000: First CA coordination meeting for the DataGrid project

March 2003:Tokyo Accord (GGF7)

April 2004:Foundation of the EUGridPMA

June 2004:Foundation of the APGridPMA

June 2005:Foundation of TAGPMA (GGF14)

October 2005:Establishment of the International Grid Trust Federation IGTF

…



Along the e-IRG Roadmap

the federated approach to an integrated AA infrastructure for eEurope

Towards an integrated AAI for academia in Europe

The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004)

The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005)



Recent developments in this direction

from the EUGridPMA side Extending PMA and the IGTF actively to more

countries and regions Specifically open to inter-working with other federations

from TERENA NRENs-GRID workshop series TF-EMC2 / TF-Mobility possible TACAR extensions

REFEDS – Research and Education Federations broad AAI scope IGTF, eduroam, A-Select, PAPI, SWITCH-AAI, InCommon,

HAKA, FEIDE/Moria See http://www.terena.nl/tech/refeds/



EUGridPMA – http://www.eugridpma.org/

IGTF – http://www.gridpma.org/

Outline

Documents

Transcript of Outline