Transcript European Grid Policy Management Authority

Grid Security &
the EUGridPMA
EIROforum GG Meeting
David Groep, EUGridPMA Chair, 2005.09.14
Outline
Grid Security Infrastructure
 Virtual Organisations
 Authentication vs. Authorisation
Authentication Federation




EUGridPMA
Trust Basis and Minimum Requirements
International Grid Trust Federation
Roadmap
Authorization Federation …
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Grid Security Requirements
 Control access to shared services
 Initial focus on high-value resources:
supercomputers, large clusters, multi-PetaByte storage
 Support multi-user collaborations
 Composed of individuals acting alone – their home
organisation administration may not know about their
activities
 Allow users/application communities to establish
relations
 Both personal and community-based aggregation of
resources, based on personal or community-mediated
trust
 Easy to use
 single sign-on for users
 David
Resource
Owner Always StaysEIROforum
in Control
Groep – [email protected]
GG meeting – Sept 2005 - ‹#›
Virtual Organisations in ‘Grid’
• A set of individuals or organisations,
• not under single hierarchical control,
• temporarily joining forces to solve a particular problem at hand,
• bringing to the collaboration a subset of their resources,
• sharing those at their discretion and
• each under their own conditions.
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Virtual vs. Organic structure
Virtual Community C
Person B
(Administrator)
Compute Server C1'
Person A
(Principal Investigator)
Person E
(Researcher)
Person D
(Researcher)
Person B
(Staff)
Compute Server C2
File server F1
(disk A)
Compute Server C1
Person A
(Faculty)
Person C
(Student)
Organization A
David Groep – [email protected]
Person D File server F1
(Staff) (disks A and B)
Person E
(Faculty)
Person F
(Faculty)
Compute Server C3
Organization B
Graphic from Frank Siebenlist, ANL & Globus Alliance
GGF OGSA Working Group
EIROforum GG meeting – Sept 2005 - ‹#›
Stakeholders in Grid Security
 Conceptually, all members of a VO are equal
 Users can provide their own services
 Resource provider organisations may or may not have
personal members (they can just sell resources to a VO)
 No a priori trust relationship between members
 VO lifetime can vary from hours to decades
 People (and resources) usually are members
of more than one VO
 … but an relation is required
 as a basis for authorising access
 for traceability and liability
 for incident handling, accounting
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Building Virtual Organisations
 VOs today are rather long-lived
(but not too difficult to set up)





HEP physics experiments (10+ yrs)
Earth Observation missions (10+ yrs)
Earthquake engineering (10+ yrs)
LIGO (Gravitational waves) (10+ yrs?)
Projects-based ‘aggregate working groups’
EGEE bio-medical application area (2+ yr), …
 …
 Future is likely to bring many shorter-lived VOs
 ad-hoc collaborations of scientists (~weeks)
 commercial analysis outsourcing (~days)
 …
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
VO embedding today
 as part of a Grid ‘ecosystem’
where ecosystem takes care of end-to-end solution
 Middleware
 User support
 ‘Infrastructure’ (a collective of Resource Centres)
 a single VO per project
user groups join up together and participate
in a single project
 Implicit sharing agreement between users and centres
 sharing across all user communities in the project
 ‘non-aligned’ VOs
 need to build their own hosting environment
 maybe supported by a ‘big’ partner from another ecosystem
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Many Grid Sites Need Interoperation
 In Europe
 Enabling Grid for E-sciencE (EGEE) (~160 sites)
 Distributed European Infrastructure for Supercomputer
Applications (DEISA) (~15 sites)
 South East European Grid (SEE-GRID) (~30 sites)
 many national projects (VL-e, D-Grid, UK e-Science)
 In the US
 Open Science Grid (OSG) (~40 sites)
 TeraGrid (~5 sites)
 also many others, like NEESGRID, NASA IPG, …
 Asia-Pacific
 AP Grid (~10?)
 Pacific Rim Applications and Grid Middleware Assembly (~15?)
 …
 LHC Computing Grid Project (global) (~160)
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Separating AuthN from AuthZ
 Single Authentication token (“passport”)





issued by a trustworthy third party,
recognised by many resource providers, users, and VOs
satisfies traceability requirement
in itself does not grant any access
but provides high-quality unique binding between
an identifier and the subject*
 X.509 certificates in a PKI, cryptographically secured
 Authorisation (“visa”)




granted to a person/service or a set of them (a VO)
granted by the actual owner (e.g. a site)
based on the ‘passport’ name
providers define their lists of authorised users & VOs,
but can still ban individual users within a VO
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Grid Authorization today
 Leverages authentication provided by PKI
 Identity management decoupled from access control
 Creation of short-lived ‘tokens’ (‘proxy’ certificates) for
single sign-on based on these identities
But:
 Variety of mechanisms
 Per-resource list of authorized users (“grid-mapfile”)
 Directories of authorized users (VO-LDAP)
 Embedded assertions (VOMS, CAS)
 Variety of sources of authority
 Semantics to describe roles and rights differs
 No common namespace
 Not integrated with other (site) AA mechanisms
yet
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Authentication
Well known X.509 PKIs
 Secure web servers (‘https’) based on PKI
 Various commercial providers
 Entrust, Thawte, Verisign, SwissSign, …
 Usually expensive but don’t actually subsume liability …
… a rogue person obtained a certificate from Verisign
asserting
he was from Microsoft …
 Are implicitly trusted by many, since web browsers
pre-install the roots of trust
… but did you ever check the policies of all those CAs?
 But use of commercial CAs solves the ‘pop-up’ problem
... so for (web) servers we would still need a pop-up free
service
 National (government) PKIs
 Slow in the uptake of the 1999/93/EC for the average citizen
(but Estonia is now there!)
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Hierarchical PKI
 “Hierarchies” are the traditional method of organising trust
 A Relying Party that trust a top-level policy can implicitly trust
all subordinates
Top-level CA
Intemediate CA 1
End-entity
issuing CA 1
Intermediate CA 2
Intemediate CA 3
EE issuer 2
 But…
 By signing a subordinate the CA assumes liability
 It requires hierarchical control by the top-level CA on the
subordinates
(so that it en ensure policy compliance)
 It implies a dependency relationship
(not very well suited to a multi-national trust relationship)
 Cannot accommodate pre-existing CAs well
 Grids
desire to leave the trust decisionEIROforum
optionGG
tomeeting
the Relying
David
Groep – [email protected]
– Sept 2005 - ‹#›
The Federated PKI for Grid
Authentication
CA 1
CA 2
charter
CA n
CA 3
guidelines
acceptance
process
relying
party n
relying
party 1
 Federation consists of many independent CAs




Common minimum requirements
Defined and ‘strong’ acceptance process
“reasonable” trust level, as required by relying parties
no ‘hierarchical top’ to make formal guarantees
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Building the federation
 PKI providers (‘CAs’) and Relying Parties (‘sites’)
together shape minimum requirements
(‘guidelines’)
 Authorities testify compliance with these guidelines
 Peer-review process within the federation
to (re) evaluate members on entry & periodically
 Reduce effort on the relying parties
 single document to review and assess for all CAs
 Reduce cost on the CAs:
 no audit statement needed by certified accountants
 but participation in the federation does come with a price
 Requires that the federation remains manageable in size
 David
Ultimate
decision always remains
with
the RP
Groep – [email protected]
EIROforum
GG meeting
– Sept 2005 - ‹#›
Relying Party issues to be addressed
Relying Party requests:
1. standard accreditation profiles sufficient to assure
approximate parity in CAs
2. monitor [] signing namespaces for name overlaps
3. a forum [to] participate and raise issues
4. [operation of] a secure collection point for information
about CAs which you accredit
5. common practices where possible
[list courtesy of the Open Science Grid]
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Common Guidelines set for all CAs
Collective requirements
(technology agnostic)
Federation Document
• Namespace assignments
• Distribution layout
Classic X.509 CAs
with secured infrastructure
Technology specific
guidelines
Short-lived
Credential Services
‘experimental’ CAs
…
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Guidelines: common elements
 Coordinated namespace
 Subject names refer to a unique entity (person, host)
 Basis for authorization decisions
 Common Naming
 Common structure for trust anchor distribution in the
federation
 Trusted, redundant, download sources
 Concerns and ‘incident’ handling
 Guaranteed point of contact
 Forum to raise issues and concerns
 Requirement for documentation of processes
 Detailed policy and practice statement
 Open to auditing by federation peers
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Guidelines: secured X.509 CAs
 Identity vetting procedures
 Based on (national) photo ID’s
 Face-to-face verification of applicants
via a network of Registration Authorities
 Periodic renewal (once every year)
 Record retention at least 3 years
 Secure operation
 off-line signing key or special (FIPS-140.3 or better)
hardware
 Response to incidents
 Timely revocation of compromised certificates
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Guidelines: short-lived credential service
 Issue short-lived credentials (for grid: proxies)
based on another site-local authentication system
 e.g. Kerberos CA based on existing administration
 Same common guidelines apply




documented policies and processes
a reliable identity vetting mechanism
accreditation of the credential issuer with a PMA
identity vetting data retention
 Same X.509 format, but no user-held secrets
 New profile by TAGPMA in the Americas
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Guidelines: ‘Active Certificate Stores’
 Secure key/cert storage for end-users
 Protected by alternative means
 by checking identity with the home organisation
 via one-time pads issued by the credential store
 …
 Backed by a “traditional” CA
 Releases short-lived tokens (RFC3820 “proxy”
certs)
 ACS hosted by a trusted party
(CA, NREN, Operations Center, …)
Profile yet to be written
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Guidelines: ACS diagram
3./4. validate
1.
6. Proxy req
8. Issue
delegation
ACS Secured
Environment
5. issue
and store
CA
1a.&7.
authenticate
2. Request
Home
Organisation
Alternate
Mechanisms
David Groep – [email protected]
(on behalf of user)
EIROforum GG meeting – Sept 2005 - ‹#›
The EUGridPMA origins: the EDG CACG
The EU DataGrid in 2000 needed a PKI for the test bed
Both end-user and service/host PKI
CACG had the task of creating this PKI
for Grid Authentication only
no support for long-term encryption or digital signatures
Single CA was not considered acceptable
Single point of attack or failure
History
One CA per country, large region or international
organization
CA must have strong relationship with RAs
Some pre-existing CAs
A single hierarchy would have excluded existing CAs and
was not convenient to support with existing software
Coordinated group of peer CAs was most suitable choice
Based on “reasonable procedures” and “acceptable methods”
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
The EUGridPMA “constitution”
EUGridPMA founded April 2004 as a successor to the CACG
The European Policy Management Authority for Grid Authentication
in e-Science (hereafter called EUGridPMA) is a body
• to establish requirements and best practices for grid identity
providers
• to enable a common trust domain applicable to authentication of
end-entities in inter-organisational access to distributed
resources.
As its main activity the EUGridPMA
• coordinates a Public Key Infrastructure (PKI)
for use with Grid authentication middleware.
The EUGridPMA itself does not provide identity assertions,
but instead asserts that - within the scope of this charter –
the certificates issued by the Accredited Authorities
David
– [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
meet
or Groep
exceed
the relevant guidelines.
EUGridPMA Membership
EUGridPMA membership for (classic) CAs:
 A single Certification Authority (CA)
 per country,
 large region (e.g. the Nordic Countries), or
 international treaty organization.
 The goal is to serve the largest possible
community with a small number of stable CAs
 operated as a long-term commitment
Many CAs are operated by the (national) NREN
(CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … )
or by the e-Science programme/science foundation
(UK eScience, VL-e, CNRS, … )
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
CA Coverage of the EUGridPMA
 Green: CA Accredited
 Yellow: RealSoonNow™
(BalticGrid, Turkey/ULAKBIM,
RedIRIS)
Other Accredited CAs:









DoEGrids (US)
GridCanada
ASCCG (Taipei)
ArmeSFO (Armenia)
CERN
Russia (“RDIG”)
Israel (IUCC)
Pakistan
IHEP (Beijing)
and can we leverage other (national) AuthN infrastructures?
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
EUGridPMA major relying parties
 All EU 6th framework e-Infrastructure projects
 EGEE
 DEISA
 SEE-GRID
 LHC Computing Grid Project (“LCG”)
 Open Science Grid (US)
 National projects, like (non-exhaustive):
 UK eScience programme
 Virtual Lab e-Science, NL
 …
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
ar
-0
1
Ju
n0
Se 1
p0
De 1
c0
M 1
ar
-0
2
Ju
n0
Se 2
p0
De 2
c02
M
ar
-0
3
Ju
n0
Se 3
p0
De 3
c0
M 3
ar
-0
4
Ju
n0
Se 4
p0
De 4
c04
M
History
accredited CAs
Growth of the CACG & EUGridPMA
35
30
25
20
15
10
5
0
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Extending Trust:
IGTF – the International Grid Trust Federation
 common, global best practices for trust establishment
 better manageability and response of the PMAs
APGridPMA
TAGPMA
The America’s
Grid PMA
David Groep – [email protected]
European
Grid PMA
Asia-Pacific
Grid PMA
EIROforum GG meeting – Sept 2005 - ‹#›
APGridPMA
 13 members from the Asia-Pacific Region,
chaired by Yoshio Tanaka (AIST)
•AIST (.jp)
•APAC (.au)
•BMG (.sg)
•CMSD (.in)
•HKU CS SRG (.hk)
•KISTI (.kr)
•NCHC (.tw)
•NPACI (.us)
•Osaka U. (.jp)
•SDG (.cn)
•USM (.my)
•IHEP Beijing (.cn)
•ASGCC (.tw)
 Launched June 1st, 2004
 4 ‘production-quality’ CAs
 Pioneered ‘experimental’
profile
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
TAGPMA
 10 members to date,
chaired by Darcy Quesnel (Canarie)
•Canarie (.ca)
•OSG (.us)
•TERAGRID (.us)
•Texas H.E. Grid (.us)
•DOEGrids (.us)
 Launched June 28th, 2005
 Pioneered new “SLCGS”
(Kerberos CA & al.)
David Groep – [email protected]
•SDSC (.us)
•FNAL (.us)
•Dartmouth
(.us)
•Umich (.us)
•Brazil (.br)
EIROforum GG meeting – Sept 2005 - ‹#›
IGTF document structure
IGTF Federation Document
APGridPMA
• CA A1
•…
EUGridPMA
trust
relations
Subject
Namespace
Assignment
• CA E1
• CA E2
TAGPMA
•…
• CA T1
•…
Common Authentication Profiles
Classic
(EUGridPMA)
Distribution
Naming
Conventions
“SLCGS”
(TAGPMA)
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Relationships: IGTF, PMAs, TACAR and GGF
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Timeline
 March 2005: IGTF Draft Federation Document
GGF13
 June 28th: TAGPMA founded at GGF14
 July 27th : APGridPMA approved draft 0.7
 September: EUGridPMA meeting on approval
 October 3-4 (planned): formal foundation of the
IGTF
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
TACAR
A trusted repository which can contain verified root-CA certificates
The certificates to be collected are those directly managed by the
member NRENs, or belonging either to a National Academic PKI in
the TERENA member countries (NPKIs), or to non-profit research
projects directly involving the academic community.
 Authoritative source for validation of trust anchors
 independent web administration makes for stronger trust
 TACAR certificate itself published in paper/journals
 over 20 CA root certificates collected
(not only for grid use)
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
EUGridPMA and TACAR
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Along the e-IRG Roadmap
e-IRG: e-Infrastructure Reflection Group Roadmap for i2010:
 commitment to the federated approach
 vision of an integrated AA infrastructure for eEurope
Towards an integrated AAI for academia in Europe and beyond

The e-IRG notes the timely operation of the EUGridPMA in
conjunction with the TACAR CA Repository and it expresses its
satisfaction for a European initiative that serves e-Science Grid
projects. […] The e-IRG strongly encourages the EUGridPMA /
TACAR to continue their valuable work […]
(Dublin, 2004)

The e-IRG encourages work towards a common federation for
academia and research institutes that ensures mutual recognition
of the strength and validity of their authorization assertions.
(The Hague, 2005)
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Authorization
Next: Authorization Interoperation?
 Interoperation requirements for authorization
 common semantics of attributes
 honour ultimate source of authority:
but where is that source? what is the authorization
language?
Variety of different mechanisms
 different target audience leads to different
approaches
 (wireless) network roaming
 Access to supercomputers, large clusters, storage
 Access to licensed database content (e.g. genomics,
libraries)
 Existing community organisation differences
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Authorization Attributes
 Various mechanisms need glue
 VO directory/VOMS mechanisms, Shibboleth, Géant2 AAI,
…
 developments are getting under way
 Variety in semantics
 different names for roles and attributes
 incompatible (policy) languages
 Federations like the PMA needed for Authorization
 coordinate semantics
 secure collection of Authorization trust anchors
 mutual recognition of authorization “value”
(not authorization itself, of course)
 concertation via TERENA TF-EMC2, JSPG, …
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Making a Grid Community Actually Work
 VOs need services to manage membership
 directory service, attribute issuing
 not so much ‘machines’, but ‘people’ and ‘time’
 Operational problems and incidents
 where can users go with their problems?
 how to stop and prevent incidents?
 contact management?
 Central services
 information services (where are my resources?)
 brokering? Cataloguing?
 Hosting provided by the “native” organisation
or home organisation of the PI? or …
A grid Ecosystem can help significantly here
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
Summary
 Grid Security: Authentication and Authorization
 Who am I:




Common trust domain exists via EUGridPMA and IGTF
Coordinated minimum requirements
different authentication profiles
Recognised by many projects & supported the e-IRG
 What can I do:
 no unified scheme for authorization (yet)
 coordination under way in TF-EMC2 and EGEE
 Authorisation Federations
are the next big challenge for Grid and an eEurope
 How can I do it:
 who runs the actual services:
Ecosystem, VO, PI home organisation, …
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›
http://www.eugridpma.org/
David Groep – [email protected]
EIROforum GG meeting – Sept 2005 - ‹#›