Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC).
Agenda What is Trust? Establishing a Trust Framework through standards and accreditation PKI as a Trust Framework What is the IGTF? How does IGTF Accreditation work today? Towards a more flexible RA process The status of the Standard What are next steps? Summary
What is Trust? –Confidence or assurance that a person, system, thing will behave exactly as you expect, or alternatively, in your best interests Trust cannot be established by technology alone –A framework for trust requires the following attributes: Technology (secure and audited) Policy & Procedures (published and proven) Relationships & Liability (legal agreements and licenses)
Establishing a Trust Framework through standards and accreditation Why Standards? – To obtain consistent behavior, we first need to define what behavior is expected, and then measure observed behavior against this – Standards are published documents that establish specifications and procedures designed to ensure the reliability of services – Standards address a range of issues, including but not limited to various protocols that help ensure service functionality and compatibility, facilitate interoperability and support user/data safety and security protections – Standards form the fundamental building blocks for development of products and services by establishing consistent protocols that can be universally understood and adopted – Standards also make it easier to understand and compare competing services – It is only through the use of standards that the requirements of interconnectivity and interoperability can be assured – Standards fuel the development and implementation of technologies that influence and transform the way we work, research and communicate Above is Adopted from IEEE.org
Establishing a Trust Framework through standards and accreditation The Importance of Accreditation – Accreditation is both a status and a process As a status, accreditation provides public notification that an entity, organization, service or program meets standards of quality and security set forth by an accrediting agency As a process, accreditation reflects the fact that in achieving recognition by the accrediting agency, the entity, organization, service or program is committed to self-evaluation and external review by peers or third party auditors, in seeking not only to meet the desired standards but to continuously seek ways in which to enhance the quality of provided services – Accreditation provides assurance that the program or service is engaged in continuous review and improvement of its quality, that it meets internationally endorsed standards in the community of interest, and that it is accountable for achieving stated objectives – Accreditation provides a formal process for ongoing evaluation and improvement – Accreditation provides a forum in which participants can exchange ideas on future needs of the community of interest and ways in which to best address these – Accreditation ensures public accountability of the accredited -- that it has the required processes and policies in place, and demonstrates the desired security and interoperability outcomes consistent with its goals and objectives
What is PKI? Public Key Infrastructure (PKI) underpins the security and trust infrastructure of the Internet, Grids and High Performance Computing industry. While the implementation of the protocol has manifest chinks in its armor from time to time, the protocol itself has stood the test of time as an effective mechanism for establishing trust and ensuring confidentiality, integrity and authenticating potentially previously unknown participants to securely interact via trusted transactions.
PKI: Identity Binding with Certificates Identities are bound to cryptographic keys Certificate Policy and Key Usage listed in certificate represents procedures for issuance of certificate and asserts scope for which certificate can be used Certificate provides reliability and assurance of the verified identity
What is a Certificate Authority (CA) An organization that creates, publishes, and revokes certificates. Verifies the information in the certificate. Protects general security and policies of the system and its records. Allows you to check certificates so you can decide whether to use them in business/security transactions. Has one or more trusted Roots, called a trust anchor embedded in applications Agree to abide by a known Certificate Policy (CP) and publish a corresponding Certificate Practices Statement (CPS) for audit and independent verification of practices E.g. DigiCert Web PKI CPS can be found here
Certification Authority Responsibilities CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs CA undergoes rigorous third party audit of operations and policy CA private keys are held under extreme protections and used to sign web site certificates and status information CA applies for corresponding root certificates to be included into trusted root stores CA policy and operations must be in compliance with root trust store rules in order to be trusted by default, and may be distributed by software updates
Certification Authority Responsibilities When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates –This highest tier of verification is called Extended Validation or EV –EV issued certs are recognized in browser GUI e.g. green bar
Policy Structure for PKIs RFC 3647 : Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework Published in 2003, as an update to 2527 CPs and CPSs play a central role in documenting the requirements and practices of a PKI This is how a CA conveys to a Relying Party what it does to bind identities to keys and how it protects the infrastructure that facilitates that process
Policy Structure for PKIs RFC 3647 : CP definition – "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements" RFC 3647 : CPS definition – "A statement of the practices which a certification authority employs in issuing certificates." – “A more detailed description of the practices followed by a CA in issuing and otherwise managing certificates may be contained in a certification practice statement (CPS) published by or referenced by the CA.”
CP vs CPS Relationship Between Certificate Policy and Certification Practice Statement –A CP and CPS address the same set of topics that are of interest to the relying party in terms of the degree to and purpose for which a public key certificate should be trusted. –Their primary difference is in the focus of their provisions. The purpose of the CP is to establish what participants must do The purpose of the CPS is to disclose how the participants perform their functions and implement controls
PKI: A Trust Framework A framework for trust requires the following attributes: – Technology (secure and audited) – Policy & Procedures (published and proven) – Relationships & Liability (legal agreements and licenses) PKI as a Trust Framework: – Technology: Public Key Cryptography – Policy & Procedures: RFC 3647 compliant documentation e.g. Certificate Policy (CP) & Certification Practices Statement (CPS), and sometimes Registration Practices Statement (RPS) – Relationships & Liability: Included in CP, community standards (authentication profiles) and accreditation program
Framework RFC 3647 defines a Framework of 9 areas that a CP/CPS should address: – 1. Introduction – 2. Publication and Repository – 3. Identification and Authentication – 4. Certificate Life-Cycle Operational Requirements – 5. Facilities, Management, and Operational Controls – 6. Technical Security Controls – 7. Certificate, CRL, and OCSP Profile – 8. Compliance audit – 9. Other Business and Legal Matters
Framework “PKIs can use this simple framework of nine primary components to write a simple CP or CPS. Moreover, a CA can use this same framework to write a subscriber agreement, relying party agreement, or agreement containing subscriber and relying party terms.” “This simple framework may also be useful for agreements other than subscriber agreements and relying party agreements. For instance, a CA wishing to outsource certain services to an RA or certificate manufacturing authority (CMA) may find it useful to use this framework as a checklist to write a registration authority agreement or outsourcing agreement.”
IGTF: A PKI-based Trust Framework Common criteria and model – globally unique and persistent identifier provisioning – not fully normative, but based on minimum requirements Trust is stratified by Authentication Profiles – technology and assurance ‘profiles’ in the same trust fabric – ‘Classic’traditional public key infrastructure – ‘MICS’dynamic ID provisioning leveraging federations – ‘SLCS’on-demand short-lived token generation a basis for ‘arbitrary token’ services – ‘IOTA’ adequate to ensure unique, non-re-assigned identities only with potentially lower assurance applications
IGTF: Interoperable Global Trust Federation supporting distributed IT infrastructures for research 3 regional coordination groups (AP, EMEA, Americas) ~80 authorities and ~10 cross-national infrastructure members ~ subscribers Single integrated trust fabric with differentiated LoA May 2014
IGTF – Interoperable Global Trust Federation supporting distributed IT infrastructures for research IGTF brings together – e-Infrastructure resource providers, user communities and identity authorities to agree on – global, shared minimum requirements and assurance levels – inspired and coordinated by the needs of relying parties: EGI, HPCI, PRACE-RI, PRAGMA, OSG, XSEDE, … as well as most national e-infrastructure providers
IGTF Structure Interoperable Global Trust Federation (IGTF) The Americas Grid Policy Management Authority (TAGPMA) North America, Central America, South America, Caribbean European Grid Policy Management Authority (EUGridPMA) Europe, Middle East, Africa Asia Pacific Grid Policy Management Authority (APGridPMA) Asia, Pacific, Australia, New Zealand
IGTF Community High Performance Computing (HPC) – primarily with the HPC computational science communities – National and international HPC cyberinfrastructures, e.g., European Grid Infrastructure (EGI) U.S. National Science Foundation (NSF) XSEDE Partnership for Advanced Computing in Europe (PRACE) U.S. NSF & DoE Open Science Grid Worldwide Large Hadron Collider (LHC) Grid (WLCG) High Throughput Computing (HTC) – cloud computing and high-scaling computing on collections of distributed nodes Grid/Cloud Distributed Computing & Storage National, Institutional and Commercial CAs
IGTF Community Grid / Cloud computing & Web Services – Distributed computing with standards-based interfaces for secure authentication and secure communications Open Grid Forum (OGF) Organization for the Advancement of Structured Information Standards (OASIS) World Wide Web Consortium Certificate Authority/Browser Forum Internet Engineering Task Force
IGTF Community Public Key Infrastructure (PKI) – X.509 digital certificates data signed using a secure, cryptographic checksum typically used for identity credentials – hosts, services, people – Certificate Authorities (CAs) securely issue digital certificates – Registration Authorities (RAs) verify identity of end entities requesting certificates – Relying Parties (RPs) any person or organization that trusts a CA and depends (relies) upon the CA to issue certificates – Internet Protocols, e.g., SSL, TLS
Accreditation – an exercise in building Trust Accreditation process – Extensively documented public practices (CP/CPS, RFC3647) – Interviewing and scrutiny by peer group (the PMA) – Assessment against the Authentication Profiles – Technical compliance checks (RFC5280 and GFD.125) Periodic, peer-reviewed, self-audits – Based on Authentication Profiles, standard reference: GFD.169 – OGF & IGTF, inspired by NIST SP800-53/ISO:IEC Federated assessment methodology by region (IGTF) International Grid Trust Federation
IGTF Accreditation Process Today Membership Application – Organization applies for membership as an Identity Provider – PMA members vote to accept/decline membership Member requests accreditation of a CA – Member describes CA and desired Authentication Profile to be accredited against – A PMA Mentor is assigned – Two PMA peer member reviewers are assigned Reviewers examine CA Certificate Policy and Certification Practice Statement (CP/CPS) – Reviewers work with applicant to verify compatibility of services to Authentication profiles and resolve issues – PMA members vote to accept/decline CA based on report/recommendation of Reviewers Operational Review – Reviewers test operational aspects of CA – Upon successful completion of operational tests, CA is considered “Accredited” CA operators prepare and submit CA certificate and data for IGTF distribution – A designated PMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to IGTF – IGTF adds the new CA certificate and data to a pre-release collection for testing, and upon successful testing adds it to the next scheduled public IGTF distribution – (optional) The CA operator applies to the TERENA Academic Certification Authority Repository (TACAR) to have their CA certificate added to the TACAR distribution. A designated PMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to TACAR for inclusion in the TACAR distribution.
IGTF Common Criteria International Grid Trust Federation
IGTF Accreditation Challenges Current grid implementations require a reliable and trustworthy source of Identity certificates where key accountability of ID proofing rests with the local project administration. In order to obtain credentials that will be provisioned locally but recognized globally, previously a project typically had to invest significant resources into the establishment of an X.509 credential service and have their implementation validated by one of the area Policy Management Authorities (PMA's) of the IGTF. The set‐up and operation of an accredited Identity Provider (IDP) service (typically a CA) is often one of the major barriers facing new researchers trying to conduct new or collaborate on existing projects.
Efficient Federated identity Accreditation Provisioning of federated Identity credentials requires an IDP service aspect and an Identity Proofing aspect Typically the Identity Proofing aspect of the process is provisioned by local personnel associated with the project The IDP aspect requires significant resources in order to qualify for accreditation recognized globally Both aspects are required to be addressed as part of the current Accreditation process However, by decoupling the IDP aspect from the Identity Proofing (typically performed by a Registration Authority (RA)), there are a potential number of benefits that may be gained
Benefits of Decoupling IDP & RA Project start up is less onerous with more flexibility to focus on one aspect at a time Potential for smaller, lower cost projects should lead to an expanded participation rate Economies of scale for the most expensive aspect (IDP) by defraying operating costs over multiple projects Separation of control aligns with the different cost centers – IDP is typically a new capital cost – RA is mostly an existing submerged cost
Benefits of Decoupling IDP & RA Project start up is less onerous with more flexibility to focus on one aspect at a time Potential for smaller, lower cost projects should lead to an expanded participation rate Economies of scale for the most expensive aspect (IDP) by defraying operating costs over multiple projects Separation of control aligns with the different cost centers – IDP is typically a new capital cost – RA is mostly an existing submerged cost
Towards a more flexible RA process How can we effect this change? – Create separate standards for IDPs and RAs and allow for independent accreditation of each – CPS for IDP includes RA components – RPS as an RA-dedicated standard has become a common practice for commercial CAs – The RPS is a subordinate document of practices to the CPS, but allows direct correlation and comparison – Create an RPS template for IGTF RAs to be accredited against: NOTE: a template speeds adoption and promotes consistency
Status of the Standard 2012: – Proposed use of RPS as its own Standard – Draft RPS template created based on analysis of RFC 3647 sections pertinent to RAs – Agreement in IGTF to collectively work on creating a new standard RPS template 2013: – TAGPMA Face-to-Face meetings used to review drafts, edit and progress proposed standard – Trial use of proposed standard by some community members 2014: – TAGPMA and EUGridPMA Face-to-Face meetings used to review drafts, edit and progress proposed standard 2015: – Proposed Standard reviewed by TAGPMA, EUGridPMA, and presented for consideration at APGridPMA – Standard considered final draft ready
Next Steps Following the comment period, RPS Template standard to be published Checklists for audit against standard to be developed Validation of new standard against existing Grid implementations – Members from each PMA region are already using a version of the draft standard Evaluate whether to introduce a new class of membership for IGTF i.e. RA class
Summary Next chapter of IGTF is to allow more granular Registration Authority accreditation to occur independent of the current Authentication Provider accreditation process Separating IDP function from RA function within IGTF Accreditation process lends to a more efficient and potentially cost effective implementation The Development of a new RPS Standard proposed, and after 3 years of discussion, review and edit, is now in final draft for release The new Standard is expected stimulate more participation in research involving Grids and Clouds, by making projects easier to initiate and maintain, and thus lowering costs