130 likes | 150 Views
Establishing Identity in EGI. the authentication trust fabric of the IGTF and EUGridPMA. David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2. Roles of authentication.
E N D
Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2
Roles of authentication EUGridPMA and IGTF – international grid trust federation – are about authentication, i.e. establishing identity. Why do you need to establish identity? • Access control to resources and services • Incident management and auditing • Accounting, auditing, &c… Here we focus on authenticating individuals • natural persons, hosts, services, software agents Establishing identity in EGI
Access Control Points • Authorization • based on the unique AuthN ID • grants or denies access • several control points • - VO must be member of community only work within common AUP • - site has list of VOs + ban list • Authentication • each person globally unique name • only identification • persons may have more than ID Establishing identity in EGI
Coordinating identity: the trust fabric • Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination • these guidelines constitute a (technical) policy • the group responsible for setting and verifying these is thus a Policy Management Authority (‘PMA’) • needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid, ...) • user communities span multiple infrastructures • so the coordination needs to be global as well Establishing identity in EGI
The EUGridPMA The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines. Establishing identity in EGI https://www.eugridpma.org/
EUGridPMA organisation • Established April 1st 2004 by founding members • national identity authorities from the EU DataGrid and CrossGrid CA Coordination Group • EGEE, DEISA, SEE-GRID, TERENA as relying parties • Today 46 members • 5 cross-national relying parties(EGI,DEISA,OSG,TERENA,wLCG) • 41 identity authorities (“CAs”) Establishing identity in EGI https://www.eugridpma.org/members/
EUGridPMA Activities • Establishing Authentication Guidelines • technical policies defining minimum requirements that authorities must meet or exceed • matches the level of assurance(LoA) needed for the authorization decisions by the relying parties (resource centres, data owners, ...) • Reviewing compliance of new authoritieswith respect to these guidelines • Periodic peer-reviewed re-assessments • Provide technical source of ‘trust anchors’ for accredited authorities • categorised by LoA, verification via TERENA TACAR Establishing identity in EGI https://www.eugridpma.org/guidelines/
Global coordination • International Grid Trust Federation – IGTF • Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA • Strongly coordinated: accrediting to common standards Establishing identity in EGI http://www.igtf.net/
Implementing the Acceptable CAs • EGI policy on Approved Authoritiesall IGTF Authorities compliant with defined assurance level • Grid participants in EGI are supposed to install all approved trust anchors • in as far as allowed by site, organisational, national policies • site, organisational, national policy takes precedence • report deviations to the EGI Security Officeras per the general Grid Security Policy • Grid participants may install other trust anchors • e.g. authorities for site or national training purposes • local authorities or local translators (e.g. SARoNGS) Establishing identity in EGI https://documents.egi.eu/document/83
EGI ‘CA distribution’ • EGI policy supported by technical infrastructure:the ‘ca-policy-egi-core’ package • provided as a convenience service for sites/NGIs • originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’ • collection of trust anchor certificate files & metadata • a re-distribution of the IGTF trust anchors • packaged as RedHat Package Manager (RPM) • provided, for as long as needed by the NGIs, via support (0.05FTE) by EGI-InSPIRE under SA1 • but several sites and NGIs already build their own... Establishing identity in EGI
Trust & AuthN implications • Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today • when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations • breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences • Effect of sub-setting trust anchors may not be what you would expect, due to • jointness policy requirements for multi-grid affiliates • constituencies & scopes of identity providers in the IGTF and underlying academic federations Establishing identity in EGI
Summary • Authentication • basis for grantingand denying access by VOs and resource centres • does not grant any access rights in or by itself • allows incident response & auditing of ‘undesired access attempts’ • EUGridPMA and IGTF provide • a global authentication trust fabric across infrastructures, • according to scoped technical security policies, • based on many autonomous authentication authorities • Standing EGI security policies leverage the IGTF • acknowledges site and national policy primacy • and sub-setting the endorsed set unlikely to have the expected effect Establishing identity in EGI
Establishing identity in EGI Discussion