120 likes | 218 Views
http://www.eugridpma.org/. TERENA TF-EMC2 Workshop David Groep, 2004.11.04. A PKI for Grids. PKI model fits the lack of hierarchical relations between users and resources in the Grid Users can join collaborations (VOs), that are independent of both resources and home organisations
E N D
http://www.eugridpma.org/ TERENA TF-EMC2 WorkshopDavid Groep, 2004.11.04
A PKI for Grids • PKI model fits the lack of hierarchical relations between users and resources in the Grid • Users can join collaborations (VOs), that are independent of both resources and home organisations • mainly unilateral trust relations (RP/subscriber -> CA)limited mutual trust (CA->CA within PMA) • Both users and services need a credential • Revocation: • of authZ via the VOs, • of AuthN via the CAs (latter only of the identity is compromised)
The EUGridPMA European Grid Authentication Policy Management Authority for e-Science • Coordinates authentication for people and services for European, national, and related Grid projectsEGEE, DEISA, SEEGRID, LCG, … • PMA manages authentication guidelines policies • Trust domain for research and academic grids
Certificate Authority Coordination • Evolved from the CA Coordination Groupin DataGrid, CrossGrid, LCG, … • collection of national and regional CAs • better local identity vetting • national legislation • all meet or exceed minimum requirements • identity checking (in-person, photo-ID) • physical security (signing key protection, storage) • naming (unique certificate names) • revocation (updated lists, retrieval) • Clearly defined accreditation procedure • Basic tools and distribution mechanisms
Accreditation process • Codification of procedures in a CP(S) for each CA • de facto lots of copy/paste, except for vetting sections • Peer-review process for evaluation • comments welcomed from all PMA members • two assigned referees • In-person appearance during the review meeting
Accredited Authorities • Everyone (almost) in Europe has a national CA • Green: CA Accredited • Yellow: being discussed Other Accredited CAs: • DoEGrids (US) • GridCanada • ASCCG (Taiwan) • ArmeSFO (Armenia) • CERN • Russia (HEP) • FNAL Service CA (US) • Israel • Pakistan
The Catch-All CAs Project-centric “catch all” Authorities • For those left out of the rain in EGEE • CNRS “catch-all” (Sophie Nicoud) • coverage for all EGEE partners • For the South-East European Region • regional catch-all CA • For LCG world-wide • DoeGrids CA (Tony Genovese & Mike Helm, ESnet) • Registration Authorities through Ian Neilson
Distribution RPM distribution to facilitate deployment projects • validation must be done via TACAR (or out-of-band means) • releases contain • CA root cert • CRL URL • CA URL • namespace-policy file (used by software for enforcement) • dependency information (for hierarchical PKIs) • meta-RPMs “ca_policy_eugridpma” for triggering dependencies in install software (yum/apt) • releases every ~ 4-12 weeks
EUGridPMA Americas PMAbeing formed APGridPMA Global interoperation • PMAs collaborate bilaterally in an interoperation framework: the International Grid Federationsee www.gridpma.org
Commonality • Common services to all European eInfrastructure • EUGridPMA: • All EU Grid infrastructure FP6 programmes • CAs also cover inter-organisational national projects • TERENA TACAR provides the trust validation • Grid projects rely on TACAR to validate roots-of-trust • Minimum Requirements form bases of IGF • Coherency in AP modelled on EUGridPMA • Americas are planning to build an AMSGridPMA
Current topics of discussion • Continuing updates to minimum requirementsas experience growsto comply better with evolving Grid middlewareto comply with evolving industry standards • User key hygiene worries aboundCan the user be trusted with key care? (hardly…) • Complexity for users, servicesthe server-certificate service! • On-line CA methodologiesGuidelines and Minimum Requirements Site-local solutions (SIPS) Active Certificate Stores (credential repositories, escrow services) CA-generated key pairs and ease-of-use