1 / 12

JRA3 2 nd EU Review Input

JRA3 2 nd EU Review Input. David Groep NIKHEF. charter. guidelines. acceptance process. CA 2. CA 1. relying party n. CA n. CA 3. relying party 1. EUGridPMA Authentication Federation. Federation consists of many independent CAs Common minimum requirements

yates
Download Presentation

JRA3 2 nd EU Review Input

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JRA3 2nd EU Review Input David Groep NIKHEF

  2. charter guidelines acceptance process CA 2 CA 1 relying party n CA n CA 3 relying party 1 EUGridPMA Authentication Federation • Federation consists of many independent CAs • Common minimum requirements • Defined and ‘strong’ acceptance process • “reasonable” trust level, as required by relying parties • no ‘hierarchical top’ to make formal guarantees • Membership • 34 Identity providers (national and regional CAs) • 6 Relying parties (large projects like EGEE, DEISA, SEE-GRID, OSG, LCG) and TERENA JRA3 EU Review Input DavidG December 7th 2005

  3. The EUGridPMA • Virtually complete coverage of Europe, accreditation for EGEE, DEISA, SEE-GRID, LCG, OSG, .. • Actively fostered and by supported by JRA3 Green: countries and regions covered by a national CA in the EUGridPMA JRA3 EU Review Input DavidG December 7th 2005

  4. Policy Evaluation Framework • Policy evaluation based on Authentication Profiles • Authorities demonstrate compliance with these guidelines • Peer-review process within the federation to (re-) evaluate members both on entry and periodically • Codified in the Accreditation Guidelines policy since 2004 • Demonstrated in practice in ~10 new accreditations since • Benefits • Reduces effort on the relying parties • single document to review and assess, applicable to all providers • Reduce cost on the identity providers • no audit statement needed by certified accountants • but participation in the federation does come with a price • Ultimate decision always remains with the administrative owners (relying parties) JRA3 EU Review Input DavidG December 7th 2005

  5. Authentication Profiles Three main Authentication Profiles (the requirement sets) common not only for Europe, but also for the Asia Pacific & Americas • Certification authorities with secured infrastructure • Highly trusted by all current grid projects • Leverages national structures effectively • Short-lived credential services • Leverage existing local site mechanisms • New profile to be pioneered in the Americas, but far from stable and has not yet been exposed to many relying parties • Experimental Service • Jumpstart new national and regional CAs via a pilot service • Successful model in the Asia Pacific region JRA3 EU Review Input DavidG December 7th 2005

  6. APGridPMA TAGPMA Extending Trust: the IGTF • common, global best practices for trust establishment • better manageability and response of the PMAs JRA3 EU Review Input DavidG December 7th 2005

  7. IGTF Structure • Each PMA can accredited authorities according to any of the valid authentication profiles (classic secured PKI, short-lived credential services, experimental) • Common standards • Coordinated naming (every name within the IGTF is unique) • Common accreditation process • Three chairs collectively represent the IGTF (formal IGTF chair rotates yearly) • First IGTF Chair is from Europe … JRA3 EU Review Input DavidG December 7th 2005

  8. IGTF, GGF and TACAR • The IGTF, GGF (the CAOPS-WG) and TERENA work together to establish the global trust fabric JRA3 EU Review Input DavidG December 7th 2005

  9. Towards common AAI in Europe A Common Authentication and Authorization Infrastructure • described in the e-IRG Authorization Roadmap section • collaboration with developments like eduroam™ via TERENA forae • the single sign-on vision • the authentication bridges, the authorization framework, on-demand user attribute discovery, all work towards this goal On a wireless mobile network while visiting abroad, then decide to lookup the data from the latest experiment your colleague in your Virtual Organization did, and run a simulation to look alternate scenarios,all that with just using your credentials (password, smartcard) only once! JRA3 EU Review Input DavidG December 7th 2005

  10. SAC slides to follow JRA3 EU Review Input DavidG December 7th 2005

  11. Site Access Control ingredients global issues User policies VO policies Key storage MyProxy Establishing Trusted Third Parties site access control Identities &Certificates loggingauditing connectivityprovisioning Site policy actions& policy decisions virtualization &system accounts service business logic Access control to individual files System account creation workernode to headnode communications Router port filtering DDoS protection JRA3 EU Review Input DavidG December 7th 2005

  12. Virtualization and System Accounts • JRA3 ingredients: LCAS, LCMAPS, glexec • Aim is the fully interoperable job submission chain:GT4, CondorC/BLAHP, GT Work Space Service • Components part of the gLite 1.5 release JRA3 EU Review Input DavidG December 7th 2005

More Related