150 likes | 288 Views
DataGrid WP 6/CA CA Trust Matrices. Trinity College Dublin (TCD) Brian Coghlan. Edinburgh JUL -2002. PPARC (UK) NIKHEF (Nethelands) INFN (Italy). Main Partners CERN (Switzerland) ESA/ESRIN (Italy) CNRS (France). EU DataGrid Project. Industrial Partners Datamat (Italy) IBM-UK (UK)
E N D
DataGrid WP6/CACA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan EdinburghJUL-2002
PPARC (UK) • NIKHEF (Nethelands) • INFN (Italy) • Main Partners • CERN (Switzerland) • ESA/ESRIN (Italy) • CNRS (France) EU DataGrid Project • Industrial Partners • Datamat (Italy) • IBM-UK (UK) • CS-SI (France) • Research and Academic Institutes • CESNET (Czech Republic) • Commissariat à l'énergie atomique (CEA) – France • Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) • Consiglio Nazionale delle Ricerche (Italy) • Helsinki Institute of Physics – Finland • Institut de Fisica d'Altes Energies (IFAE) - Spain • Istituto Trentino di Cultura (IRST) – Italy • Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany • Royal Netherlands Meteorological Institute (KNMI) • Ruprecht-Karls-Universität Heidelberg - Germany • Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands • Swedish Research Council - Sweden
EU CrossGrid Project • 21 Partners • led by Cyfronet (Poland) • 11 Countries • Poland • Netherlands • Germany • Spain • Italy • Portugal • Greece • Austria • Slovakia • Cyprus • Ireland
DataGrid:security • No single work package (security is everywhere!) • 3 sub-groups: Authentication, Authorisation, & Co-ordination • Chaired by Dave Kelsey, RAL • Now based on Globus GSI • authentication using PKI (X.509 certificates) • authorization via DataGrid tools • Trying not to mix Authentication and Authorisation • Documents: • Security Requirements and first implementation (D7.5) • Security Design and 2nd implementation (Jan 2003)
DataGrid: authentication • Grids involve N-way contexts • Thus each party is worried about all the others • Back at the CA, each CA wants to evaluate the other CA • EITHER that they meet the CA’s minimum standard • OR that they meet an agreed common standard • EDG focus is on common standard • This results in a Trust Matrix
DataGrid: authentication • involves cross-domain authentication between Grid projects • now 13 approved National Certificate Authorities • includes Registration Authorities – check identity • CNRS (France) acts as “catch-all” CA with RA mechanism to suit • USA (DOE) is a member of the CA group and trust matrix • CrossGrid CAs are currently joining CA group and trust matrix
Matrix of trust • How to establish the trust ? • CA Mgrs check each other against agreed list of minimum requirements • currently require inspection of each CA’s CPS by each other CA • software being developed to aid this process • CP/CPS important • audit of CA procedures will help • none done yet • use 3rd party? • GGF GridCP and CA-Operations WG’s considered important
Matrix of trust • Scaling problems • how many CA’s can we cope with [soon ~20] ? • the process is very manual • personal contacts are fundamental • WANT TO MAKE EVALUATION MORE AUTOMATIC • software being developed to aid this process • based on evaluation of the CA Feature Matrix
Basic Concepts • Issues: • postulate: (condition) (issue) • e.g. (BasicConstraints_value ne ‘CA’) (major issue) • Grading: • i.e. assign an issue a weight • Constraint: • issues of a certain class should be constrained to that class • e.g. many minor issues do not make a major issue • Aggregation: • aggregate graded issues in a measure of ‘severity’ • e.g. (severity @ major) = (graded major issues)limit=1.0
Currently [JUL-2002] • per class: (severity @ class) = (graded class issues)limit=1.0 • max_severity: (severity) for most critical class with issues • postulate: acceptance_level = Tacceptance – (max_severity) • where:Tacceptance == (worst-case max_severity) • e.g, assume: Tacceptance = 3.0 • therefore: max_severity = [0.0 .. 3.0] • and: acceptance_level = [3.0 .. 0.0] • This is the WORKING BASIS for manual evaluation
Auto-evaluation • move to extract issues automatically • from what ? • initially from Feature Matrix • later from CA certs & CRLs ?
Extraction from Feature Matrix • since: (condition) (graded issue) • then must define condition per feature {rules} • e.g.: (name eq ‘NIL’) (graded issue) • thus:if (name eq ‘NIL’) (graded issue) == (coefficient @ class) • per class:(severity) == (graded issues)limit=1.0 • EDG can define its common rule set • each CA could define its own overrides to the rule set • ultimately each VO could define its own rule set
Acceptance/Feature Matrices THE END