180 likes | 207 Views
Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL. International Grid Trust Federation. IGTF Purpose: Manage authentication services for global computational grids via policy and procedures IGTF goal:
E N D
Grids & PKI: TAGPMA & Bridges(Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL
International Grid Trust Federation • IGTF Purpose: • Manage authentication services for global computational grids via policy and procedures • IGTF goal: • harmonize and synchronize member PMAs policies to establish and maintain global trust relationships • IGTF members: • 3 regional Policy Management Authorities • EUgridPMA • APgridPMA • TAGPMA
IGTF general Architecture • The member PMAs are responsible for accrediting authorities that issue identity assertions. • The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. • The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. • Proposed changes to an AP will be circulated by the chair of the PMA managing the AP to all chairs of the IGTF member PMAs. • Each of the PMAs will accredit credential-issuing authorities and document the accreditation policy and procedures. • Any changes to the policy and practices of a credential-issuing authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
EUGridPMA members and applicants Green: EMEA countries with an Accredited Authority • 23 of 25 EU member states (all except LU, MT) • + AM, CH, HR, IL, IS, NO, PK, RU, TR Other Accredited Authorities: • DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all
EUgridPMA Membership • Under “Classic X.509 secured infrastructure” authorities • accredited: 38 (recent additions: CERN-IT/IS, SRCE) • active applicants: 4 (Serbia, Bulgaria, Romania, Morocco) • Under “SLCS” • accredited: 0 • active applicants: 1 (SWITCH-aai) • Under MICS draft • none yet of course, but actually CERN-IS would be a good match for MICS as well • Major relying parties • EGEE, DEISA, SEE-GRID, LCG, TERENA
Map of the APGrid PMA • General Membership • U. Hong Kong (China) • U. Hyderabad (India) • Osaka U. (Japan) • USM (Malaysia) • Ex-officio Membership • APAC (Australia) • CNIC/SDG, IHEP (China) • AIST, KEK, NAREGI (Japan) • KISTI (Korea) • NGO (Singapore) • ASGCC, NCHC (Taiwan) • NECTEC, ThaiGrid (Thailand) • PRAGMA/UCSD (USA)
9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) Will be in operation NCHC (Taiwan) NECTEC (Thailand) 1 CA under review NGO (Singapore) Will be re-accredited KISTI (Korea) Planning PRAGMA (USA) ThaiGrid (Thailand) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia) APgridPMA Membership
Accredited Argentina UNLP Brazilian Grid CA CANARIE (Canada)* DOEGrids* EELA LA Catch all Grid CA ESnet/DOE Office Science* REUNA Chilean CA TACC – Root In Review FNAL Mexico UNAM NCSA – Classic/SLCS Purdue University TACC – Classic/SLCS Venezuela Virginia USHER Relying Parties Dartmouth/HEBCA EELA OSG SDSC SLAC TeraGrid TheGrid LCG *Accredited by EUgridPMA TAGPMA Membership
Recent Mapping Exercises • Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile • Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile • IGTF Classic Profile against C-4
Mapping Designations • Seven (7) designations used to characterize the equivalency • Exceeds - The ENTITY CP policy provides a higher level of assurance/security than the Federal CP requirement • Equivalent - The ENTITY CP policy provides exactly the same assurance/security as the Federal CP requirement. • Comparable - The ENTITY CP contains dissimilar policy contents, but provides a comparable level of assurance to meet the security to the Federal CP requirement. • Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement. • Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement. • Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way. • N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.
Mapping Results • C-4 against IGTF Classic Profile • 30 policy points evaluated • 14 Comparable designations • 12 Partial designations • 3 Not Comparable designations • 1 Not Applicable designation
Mapping Results • FBCA General against IGTF Classic Profile • Basic LOA used for Comparisons • 136 policy points evaluated • 22 Comparable designations • 33 Partial designations • 12 Not Comparable designations • 65 Missing designations • 3 Not Applicable designations
Mapping Results • IGTF Classic Profile against C-4 • 30 policy points evaluated • 19 Comparable designations • 1 Partial designation • 10 Exceeds designations
Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n NIH HE JP FBCA Cross-cert Cross-certs C-4 DST ACES Texas Dartmouth HEBCA Cross-certs IGTF Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3
FPKI High HEBCA/USHER Medium Hardware CBP High Medium Software CBP Medium Basic Basic Rudimentary Rudimentary IGTF C-4 Classic Ca SAML Foundation MICS SLCS Username/Password Username/Password
For More Information • IGTF Website: http://www.gridpma.org/ • TAGPMA Website: http://www.tagpma.org/ Scott Rea - Scott.Rea@dartmouth.edu