TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 WorkshopDavid Groep, 2004.11.04

http://www.eugridpma.org/

TF-EMC2 meeting, November 4 2004 - 2David Groep – [email protected]

A PKI for Grids

PKI model fits the lack of hierarchical relations between users and resources in the Grid

Users can join collaborations (VOs), that are independent of both resources and home organisations

mainly unilateral trust relations (RP/subscriber -> CA)limited mutual trust (CA->CA within PMA)

Both users and services need a credential

Revocation: of authZ via the VOs, of AuthN via the CAs

(latter only of the identity is compromised)


The EUGridPMA

European Grid Authentication

Policy Management Authority for e-Science

Coordinates authentication for people and services for European, national, and related Grid projectsEGEE, DEISA, SEEGRID, LCG, …

PMA manages authentication guidelines policies Trust domain for research and academic grids


Certificate Authority Coordination

Evolved from the CA Coordination Groupin DataGrid, CrossGrid, LCG, …

collection of national and regional CAs better local identity vetting national legislation

all meet or exceed minimum requirements identity checking (in-person, photo-ID) physical security (signing key protection, storage) naming (unique certificate names) revocation (updated lists, retrieval)

Clearly defined accreditation procedure

Basic tools and distribution mechanisms


Accreditation process

Codification of procedures in a CP(S) for each CA de facto lots of copy/paste, except for vetting sections

Peer-review process for evaluation comments welcomed from all PMA members two assigned referees

In-person appearance during the review meeting


Accredited Authorities

Everyone (almost) in Europe has a national CA

Green: CA Accredited Yellow: being

discussedOther Accredited CAs: DoEGrids (US) GridCanada ASCCG (Taiwan) ArmeSFO (Armenia) CERN Russia (HEP) FNAL Service CA (US) Israel Pakistan


The Catch-All CAs

Project-centric “catch all” Authorities

For those left out of the rain in EGEE CNRS “catch-all” (Sophie Nicoud) coverage for all EGEE partners

For the South-East European Region regional catch-all CA

For LCG world-wide DoeGrids CA (Tony Genovese & Mike Helm, ESnet) Registration Authorities through Ian Neilson


Distribution

RPM distribution to facilitate deployment projects validation must be done via TACAR

(or out-of-band means)

releases contain CA root cert CRL URL CA URL namespace-policy file (used by software for

enforcement) dependency information (for hierarchical PKIs)

meta-RPMs “ca_policy_eugridpma” for triggering dependencies in install software (yum/apt)

releases every ~ 4-12 weeks


Global interoperation

PMAs collaborate bilaterally in an interoperation framework: the International Grid Federationsee www.gridpma.org

Americas PMAbeing formed

EUGridPMA

APGridPMA

TF-EMC2 meeting, November 4 2004 - 10

David Groep – [email protected]

Commonality

Common services to all European eInfrastructure EUGridPMA:

All EU Grid infrastructure FP6 programmes CAs also cover inter-organisational national projects

TERENA TACAR provides the trust validation Grid projects rely on TACAR to validate roots-of-trust

Minimum Requirements form bases of IGF Coherency in AP modelled on EUGridPMA Americas are planning to build an AMSGridPMA



Current topics of discussion

Continuing updates to minimum requirementsas experience growsto comply better with evolving Grid middlewareto comply with evolving industry standards

User key hygiene worries aboundCan the user be trusted with key care? (hardly…)

Complexity for users, servicesthe server-certificate service!

On-line CA methodologiesGuidelines and Minimum Requirements

Site-local solutions (SIPS) Active Certificate Stores (credential

repositories, escrow services)CA-generated key pairs and ease-of-use



http://www.eugridpma.org/

TERENA TF-EMC2 Workshop David Groep, 2004.11.04

Documents

Transcript of TERENA TF-EMC2 Workshop David Groep, 2004.11.04