A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

PKI Implementation in the Real World

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Grid Security. Typical Grid Scenario Users Resources.

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Security Mechanisms The European DataGrid Project Team

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

LIGO's Evolving Certificate Authority and Account Management Needs Warren G. Anderson University of Wisconsin-Milwaukee LIGO Scientific Collaboration.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Providing secure mobile access to information servers with temporary certificates Diego R. López

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Creating and Managing Digital Certificates Chapter Eleven.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

OSG PKI Transition Mine Altunay OSG Security Officer

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Tweaking the Certificate Lifecycle for the UK eScience CA

National Trust Platform

Presentation transcript:

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Goals  Understand CA similarities/differences  Request, renewal, re-key, revocation, vetting  Policy and technical factors  Improve usability  Identify features that should be part of a desktop certificate management tool  Assess the feasibility and attempt to define guidelines for development of such a tool 2

Methodology  Sample of 10 CAs  Counted CAs with 100+ users (grid-mapfile)  Also included additional US-based CAs (NCSA)  All but one (Fermilab) issue long-lived certs  Process data collected from CPS  Disclaimer: did not go through actual process of request, vetting, etc 3

CAs Surveyed  Fermilab KCA  DoEGrids  CERN  GridKA  INFN  UK e-Science  Grid2-FR  GridCanada  IrisGrid  NCSA 4

Identity Vetting  Vast majority of CAs employ RAs  RAs are separate entities  Typical requirement: physical presence at RA  Details vary with RA (type of documents, proof of token used at cert request time)  Organization-level CA  Badged users already vetted  Organization account (plus some second “factor”)  Fermilab (SLCS), CERN, NCSA 5

Certificate Request  Case 1: partial client support  web interface or GUI/command-line tool available  organizational vetting: immediate issuance  RA-based  users need to figure out RA and the correct DN  certificate retrieved later, using same machine and browser  Case 2: almost no client support  Users have to master openssl/grid-cert-request  Even less support for getting the DN right  Once users get the cert, plenty of work to import it into browsers, etc. 6

Certificate Re-key  Most CAs accept re-key  Almost none accept renewal or modification  Some (e.g., organization-level CAs) just do a re-request  Process:  New CSR is issued, signed with both the new key as well as the old key (if existing cert still valid)  Web interface to upload CSR, otherwise  RAs only need to approve request (eligibility) 7

Certificate Revocation  Most CAs accept on-line revocation  Revocation request is authenticated (signed) with the key of the certificate to be revoked  The revocation request is uploaded through a secure web interface (e.g., DoEGrids) or by 8

Shortcomings  Need for technical expertise  PKI is not a straightforward technology  Difficulty in understanding/handling public/private key pair  Need to import CA certificate to browser, etc  Administrative details cumbersome  How to set up the DN?  Wrong DN setting delays application  Certificate Usage: basic functionality not provided  Import into/export from web browsers, clients, etc  Ensure that key is stored encrypted 9

Objective: Improve Usability  Tool to support multiple/most/all(!) CAs  CA-related operations  Request, rekey, revoke certificates  Client-side operations  Proxy generation  Certificate store operations (MyProxy)  Integration with client-side software  Web browsers  readers  Grid tools 10

Existing Tools  jGridstart (NIKHEF)  Request, renewal, assists in vetting (generates forms)  Import into web browser  Export to file (PKCS#12)  NGS Certificate Management Wizard  Proxy generation (including voms-proxy)  Upload proxy to credential store (MyProxy)  Requires certificate in the filesystem (PKCS#12) 11

Recommendations  CA-related Processes  Technical process identical (X509)  Parameters may differ, use config files (openssl. cnf already does this)  Config files may be shipped with middleware (e.g., VDT)  Identity attributes included in CSR very similar  Name, Organization,  Customize required input for vetting  Use configuration files for form generation – not technically challenging  Most difficult task: client-CA protocol  Currently interactive web forms  Extend to web services: hopefully re-use existing server-side code 12

Recommendations (2)  Client Software Integration  Web browsers: Mozilla already solved (e.g., Fermilab get-cert)  Some difficulties with more exotic browsers – but CA-independent  Proxy generation/proxy upload  NGS tool already provides this  Merging jGridstart and NGS Cert wizard represents a good start to comprehensive functionality  Supporting organization-level vetting  Some code already exists (kx509 at Fermi, NCSA scripts)  This can represent an independent branch of the code  Possibly interface with existing tools, without having to integrate within single application 13

Q&A 14