Transcript European Grid Policy Management Authority

EUGridPMA
and the e-IRG security roadmap
towards interoperable policies in identity management
GGF16 Production Grids Enterprise and Research
Workshop
David L. Groep, EUGridPMA, 2006-02-15
Outline
 A few words on the Grid Security Model
Towards inter-working identity management
 Policies for Authentication Federation
 EUGridPMA
 IGTF
 e-IRG roadmap
 Towards integrated Authentication and
Authorization
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Essentials on Grid Security
 Access to shared services
 cross-domain authentication, authorization, accounting,
billing
 common generic protocols for collective services
 Support multi-user collaboration
 may contain individuals acting alone – their home
organization administration need not necessarily know
about all activities
 organized in ‘Virtual Organisations’
 Enable ‘easy’ single sign-on for the user
 the best security is hidden from the user as much as
possible
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Virtual vs. Organic structure
 Virtual communities (“virtual organisations”) are
many
 An individual will typically be part of many
communities
Virtual Community C
 but will require single sign-on across all these
communities
Person B
(Administrator)
Compute Server C1'
Person A
(Principal Investigator)
Person E
(Researcher)
Person D
(Researcher)
Person B
(Staff)
Compute Server C2
File server F1
(disk A)
Compute Server C1
Person A
(Faculty)
Person C
(Student)
Organization A
Person D File server F1
(Staff) (disks A and B)
Person E
(Faculty)
Person F
(Faculty)
Compute Server C3
Organization B
Graphic: GGF OGSA Working Group
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Stakeholders in Grid Security
Current grid security is largely user centric
 different roles for the same person
in the organic unit and in the VO
 There is no a priori trust relationship between
members
or member organisations
 Virtual Organisation lifetime can vary from hours to
decades
 VO not necessarily persistent (both long- and short-lived)
 people and resources are members of many VOs
 … but a relationship is required
 as a basis for authorising access
 for traceability and liability, incident handling, and
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Separating Authentication and Authorization
 Single Authentication token (“passport”)




issued by a party trusted by all (“CA”),
recognised by many resource providers, users, and VOs
satisfy traceability and persistency requirement
in itself does not grant any access, but provides
a unique binding between an identifier and the subject
 Per-VO Authorisations (“visa”)
 granted to a person/service via a virtual organisation
 based on the ‘passport’ name
 acknowledged by the resource owners
 providers can obtain lists of authorised users per VO,
but can still ban individual users
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Authentication … academia, industry, and …
Possible sources of authentication and identity
 National PKI
 in general uptake of 1999/93/EC and e-Identification is slow
 where available, a national PKI can be leveraged
 Several commercial providers
 main commercial drive today: secure e-commerce based on SSL
 thus primary market is server authentication, not end-user
identities
 are implicitly trusted by many
 because web browsers pre-install the roots of trust
 WebTrust “seal of approval” scope limited to a single Authority
 Academic Grid PKI today
 Provide end-user identities for secure mail and grid use
 generally provided by the NREN or national e-science project
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
A Federation Model for Grid
Authentication
CA 1
CA 2
charter
CA n
CA 3
guidelines
acceptance
process
relying
party n
relying
party 1
 A Federation of many independent CAs
 Policy coordination based on common minimum requirements
(not ‘policy harmonisation’)
 Acceptable for major relying parties in Grid Infrastructures
 No strict hierarchy with a single top
 spread liability and enable failure containment (better
resilience)
 maximum leverage of national
efforts and subsidiarity
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Building the federation
 Providers and Relying Parties together shape
the common minimum requirements
 Several profiles for different identity management models
 different technologies
 Authorities testify to compliance with profile guidelines
 Peer-review process within the federation
to (re) evaluate members on entry & periodically
 Reduce effort on the relying parties
 single document to review and assess for all Authorities
 collective acceptance of all accredited authorities
 Reduce cost on the authorities
 but participation in the federation comes with a price
 … the ultimate decision always remains with the
David
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
RP Groep – [email protected]
EUGridPMA: the Federation in Europe
EUGridPMA founded April 2004, as a successor to the CACG
The European Policy Management Authority for Grid Authentication
in e-Science (EUGridPMA) is a body
• to establish requirements and best practices for grid identity
providers
• to enable a common trust domain applicable to authentication of
end-entities in inter-organisational access to distributed
resources.
As its main activity the EUGridPMA
• coordinates a Public Key Infrastructure (PKI)
for use with Grid authentication middleware.
The EUGridPMA itself does not provide identity assertions, but
instead asserts that - within the scope of this charter – the
certificates issued by the Accredited Authorities meet or exceed the
David Groep
– [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
relevant
guidelines.
EUGridPMA Membership
EUGridPMA membership for Authorities
 a single Authority per
 country, large region or international treaty organization
 ‘serve the largest possible community
with a small number of stable CAs’
 ‘operated as a long-term commitment’
Relying Parties: major e-Infrastructures or partner organisations
 DEISA, EGEE, SEE-GRID, TERENA, …
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Coverage of the EUGridPMA
Green: Countries with an accredited CA
 The EU member states (except LU, MT)
 + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all”
Other Accredited CAs:





DoEGrids (.us)
GridCanada (.ca)
CERN
ASGCC (.tw)*
IHEP (.cn)*
* Migrated to APGridPMA per Oct 5th, 2005
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Growth of the EDG CACG and
EUGridPMA
40
accredited CAs
30
20
David Groep – [email protected]
5
p0
Se
-0
5
M
ar
4
p0
Se
-0
4
M
ar
3
p0
Se
-0
3
M
ar
2
p0
Se
-0
2
M
ar
1
p0
Se
ar
-0
1
0
M
History
10
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Five years of growth
December 2000:
First CA coordination meeting for the FP5 DataGrid project
March 2003:
Tokyo Accord (GGF7)
April 2004:
Foundation of the EUGridPMA
June 2004:
Foundation of the APGridPMA
June 2005:
Foundation of TAGPMA (GGF14)
5 October 2005:
Establishment of the
International Grid
Trust Federation
IGTF
…
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
2005: Extending Trust –
the International Grid Trust Federation
 common, global best practices for trust establishment
 better manageability of the PMAs
APGridPMA
TAGPMA
The Americas
Grid PMA
David Groep – [email protected]
European
Grid PMA
Asia Pacific
Grid PMA
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
APGridPMA
 13 members from the
Asia-Pacific Region,
•AIST (.jp)
•NPACI (.us)
See
subsequent
presentation
•APAC
(.au)
•Osaka U. (.jp) by
•BMG (.sg)Yoshio Tanaka
•SDG (.cn)
•CMSD (.in)
•USM (.my)
and
•HKU APGridPMA
CS SRG (.hk)
•IHEPAIST
Beijing (.cn)
•KISTI (.kr)
•ASGCC (.tw)
•NCHC (.tw)
 Launched June 1st, 2004, chaired by Yoshio
Tanaka
 Minimum Requirements taken from EUGridPMA
 First face-to-face meeting on Nov 29th, 2005
 David
Today
‘production-quality’
authorities
Groep – 6
[email protected]
GGF16 Workshop
on Productionin
Grids– Feb 2006 - ‹#›
TAGPMA
 To cover all of the Americas
 8 members to date
• SDSC (.us)
• Canarie (.ca)
• FNAL (.us)
•See
OSG (.us)
subsequent presentation
• Dartmouth (.us)
• TERAGRID (.us)
Darcy
• Texas H.E. Grid
(.us) Quesnel
Brazil (pending)
• DOEGrids
(.us)
TAGPMA
and•CANARIE
by
 Launched June 28th, 2005
chaired by
Darcy Quesnel, CANARIE
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
IGTF Federation Common Policy
IGTF Federation Document
APGridPMA
• CA A1
•…
EUGridPMA
trust
relations
• CA E1
• CA E2
TAGPMA
•…
Subject
Namespace
Assignment
• CA T1
•…
Common Authentication Profiles
Classic
(EUGridPMA)
SLCS
(TAGPMA)
Distribution
Naming
Conventions
worldwide relying parties see a uniform IGTF “mesh”
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
e-Infrastructure Reflection Group
e-IRG (www.e-irg.org)
 Recommends best practices for European grid
efforts
 Policy coordination for the European Research
Area
 Resource sharing policies
 Registry of resources (economy of scale advantages)
 Synergies between Europe and other regions
 e-Infrastructure Roadmap and FP7+
 Support and encourage pan-European
interoperability
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
 Such as EUGridPMA, TACAR
Along the e-IRG Roadmap
e-Infrastructure Reflection Group White Paper on
Authentication and Authorization
 commitment to the federated approach
 vision of an integrated AA infrastructure for eEurope
Towards an integrated AAI for academia in Europe and beyond

The e-IRG notes the timely operation of the EUGridPMA in
conjunction with the TACAR CA Repository and it expresses its
satisfaction for a European initiative that serves e-Science Grid
projects. […] The e-IRG strongly encourages the EUGridPMA /
TACAR to continue their valuable work […]
(Dublin, 2004)

The e-IRG encourages work towards a common federation for
academia and research institutes that ensures mutual recognition
of the strength and validity of their authorization assertions.
(The Hague, 2005)
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Grid Authorization today
Leverages authentication provided by the PKI
 Identity management decoupled from access control
 Creation of short-lived ‘tokens’ (‘proxy’ certificates)
for single sign-on based on these identities
Status today
 Variety of mechanisms
 Variety of sources of authority
 Integration and interoperability needs significant
effort …
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Convergence initiatives in AAI
 from the PMA side
 Extending PMA and the IGTF to more countries and regions,
 and to more mechanisms and audiences
 from TERENA
 NRENs-GRID workshop series
 TF-EMC2 / TF-Mobility
 REFEDS – Research and Education Federations
 broad AAI scope: IGTF, eduroam, A-Select, PAPI,
SWITCH-AAI, InCommon, HAKA, FEIDE/Moria
 See http://www.terena.nl/tech/refeds/
 in GGF
 …
With the current technical and policy momentum,
a coordinated AAI is now both timely and within reach!
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
EUGridPMA – http://www.eugridpma.org/
IGTF – http://www.gridpma.org/
e-IRG – http://www.e-irg.org/
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›