IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.

Slides:



Advertisements
Similar presentations
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
Advertisements

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
HEPiX IPv6 Working Group David Kelsey GDB, CERN 11 Jan 2012.
EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.
Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.
European Middleware Initiative (EMI) The Software Engineering Model Alberto Di Meglio (CERN) Interim Project Director.
WLCG Technical Evolution Group: Operations and Tools Maria Girone & Jeff Templon Kick-off meeting, 24 th October 2011.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team Kickoff Meeting.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
WLCG Operations Coordination report Maria Alandes, Andrea Sciabà IT-SDC On behalf of the WLCG Operations Coordination team GDB 9 th April 2014.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Introduction of SHA-2 in the EGI Infrastructure David Groep, EGI-IGTF Liaison.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Pledged and delivered resources to ALICE Grid computing in Germany Kilian Schwarz GSI Darmstadt ALICE Offline Week.
ALICE WLCG operations report Maarten Litmaath CERN IT-SDC ALICE T1-T2 Workshop Torino Feb 23, 2015 v1.2.
WLCG Operations Coordination Andrea Sciabà IT/SDC GDB 11 th September 2013.
EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE Software provisioning and HTC Solution Peter Solagna Senior Operations Manager.
DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI IPv6 Report for HEPiX CERN October 5, 2012 CERN 1
LCG Introduction John Gordon, STFC GDB December 7 th 2010.
Accounting Review Summary and action list from the (pre)GDB Julia Andreeva CERN-IT WLCG MB 19th April
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI SA1.2 Plans 2013 Security Operations David Kelsey (STFC) 26/02/2013 Operations.
Availability of ALICE Grid resources in Germany Kilian Schwarz GSI Darmstadt ALICE Offline Week.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.
WLCG IPv6 deployment strategy
OpenSSL and Java 7 vs. 512-bit proxy keys
OGF PGI – EDGI Security Use Case and Requirements
Multi User Pilot Jobs update
David Kelsey CCLRC/RAL, UK
JRA3 Introduction Åke Edlund EGEE Security Head
gLite->EMI2/UMD2 transition
Andrea Manzi, Oliver Keeble
IGE Globus Appliances Dr. Ioan Lucian Muntean, Dr. Adrian Colesa
EGI Software Vulnerability Group (SVG) report to CSIRT F2F
LCG Security Status and Issues
Ian Bird GDB Meeting CERN 9 September 2003
Update on SHA-2 and RFC proxy support
Update from the HEPiX IPv6 WG
Summary from last MB “The MB agreed that a detailed deployment plan and a realistic time scale are required for deploying glexec with setuid mode at WLCG.
John Gordon, STFC GDB October 12th 2011
DPM releases and platforms status
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW
Thursday pilot session: 7-minutes
Chapter 2 – Software Processes
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
New Types of Accounting Beyond CPU
MaGrid CA Self audit and update
AuthN Middleware Requests
and the SHA-1 depreciation time line and status
Introduction slides Peter Solagna – EGI.eu
Andrea Manzi, Oliver Keeble
Presentation transcript:

IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012

Overview SHA-2 at IGTF All Hands – Karlsruhe May 2012 WLCG status – And subsequent discussion EGI status IGTF ongoing Risk Analysis Many thanks to David Groep and Maarten Litmaath for most of the material Aug 2012SHA-2, TAGPMA2

IGTF All Hands May 2012 From David Groep’s summary of the meeting The SHA-1 risk assessment is ongoing (see later) Clear that, especially on the software and RP side, more testing needs to be done in order to estimate the risks of disrupting the infrastructure and the impact of moving to SHA-2 now However, the only real way of finding out which things break, is by actually doing it – moving early and having the software 'break' in Jan 2013 may in the long run cause less pain for the users than waiting until the last moment and then having to hurry – and be off-line for weeks on end while we try to reconstruct the trust fabric Aug 2012SHA-2, TAGPMA3

IGTF All Hands (2) Agreed action items for the CAs ALL IGTF CAs should have or get the capability of issuing SHA-2 based certificates All CAs MUST implement this a.s.a.p, and REPORT on the implementation of SHA-2 issuing capabilities by October 1, 2012 This implementation of SHA-2 should encompass BOTH end-entity certs AND CRLs CAs should schedule to start issuing SHA-2 based certs by January 1, 2013 (only if by December 2012 it is clear that everything will still break in more than one infrastructure may some CAs consider not moving) Aug 2012SHA-2, TAGPMA4

IGTF All Hands (3) There should be user explanatory documents describing the move to SHA-2 From Jan 2013 onwards, users SHOULD have the capability of requesting SHA-2 based certs from all CAs CAs MAY consider shortening the validity period for EECs that are still SHA-1 based after , so that the sunset date for SHA-1 (March 2014) is maintained. This will also encourage users to move to SHA-2 Since software should accept at least SHA‐256 and SHA-512 out of the SHA-2 family of hashes - to ensure that will happen, some CAs should use SHA-256 and others SHA- 512, so there will and should be no IGTF guidance as to which one to choose Aug 2012SHA-2, TAGPMA5

IGTF All Hands (4) Action items for RPs the actual use of SHA-2 certs and CAs should be tested for every software release from now – EGI should do the certification and Staged Roll-out of their UMD 2.0 distribution with SHA-2 based certificates – The EGI RT ticket #3078 has been updated for this issue Jules Wolfrat will similarly collect this info from PRACE-RI and its software providers At least SHA-256 and SHA-512 should be tested There are 'test CAs' available for the certification process (e.g. the OpenID based one by NCSA which is already in the experimental IGTF distribution area) – there are several IGTF CAs that will be willing to issue dedicated test certs off their production instance Aug 2012SHA-2, TAGPMA6

WLCG status See following slides from Maarten Litmaath about WLCG situation SHA-2 and the move to use of RFC proxies Aug 2012SHA-2, TAGPMA7

Update on SHA-2 and RFC proxy support GDB Maarten Litmaath CERN

Reminder - the problem IGTF would like CAs to move from SHA-1 to SHA-2 signatures ASAP, to anticipate concerns about the long-term safety of the former – See For WLCG this currently implies using RFC proxies instead of the Globus legacy proxies in use today – See Jan GDB presentation for detailed explanation Switching to using the EMI Common Authentication Library (CANL) may help here: supports SHA-2 with legacy proxies – Will be investigated by the dCache team GSI based delegation not yet supported, should not be hard – Also BeStMan might use it then Maarten Litmaath (CERN)9

IGTF plans EUGridPMA/IGTF discussed the matter at various meetings – Quote: – “The date by which SHA-2 production certs may be issued will be NO LATER than January 2013 (and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way)” That would give us 5 months to get ready for RFC and SHA-2 – Looks impossible, in particular now that this year’s LHC run will be extended a few months into 2013 ! Neither experiments nor sites will want to rock the boat … A Plan B would be desirable  read on … Maarten Litmaath (CERN)10

Current state of affairs There are various pieces of middleware and experiment-ware that need to be made ready for SHA-2 or RFC proxy support – SHA-2: dCache, BeStMan (RFC proxies already supported by these) – RFC: Argus, CREAM, WMS, DIRAC, … – Central EGI/OSG/… services – EGI Operations will help with the assessment All EMI-2 products (released May 21) should support RFC proxies – WMS not yet available – Very little uptake so far – Also SHA-2 should be supported, except for dCache – verified? It may be many weeks before the affected products can be endorsed by UMD for generic deployment on EGI sites – EMI-2 is a major release with many changes OSG did not report additional constraints for their MW Maarten Litmaath (CERN)11

Updated phases and milestones (1) 1. Deployment of SW supporting RFC proxies – Proxy usage: Legacy RFC  only in special tests SHA-2  only in special tests – SW supports: Legacy RFC  maybe SHA-2  maybe – Milestone: All deployed SW supports RFC proxies  summer 2013 ? – Additional goal: All deployed SW supports SHA-2, except dCache and BeStMan  summer 2013 ? Maarten Litmaath (CERN)12

Updated phases and milestones (2) 2. Switch to RFC proxies  summer 2013 ? 3. Upgrade dCache and BeStMan – Proxy usage: RFC SHA-2  only in special tests – SW supports: RFC SHA-2  maybe – Milestone: All deployed SW supports SHA-2  autumn 2013 ? 4. Introduce SHA-2 CAs  Jan 2014 ? – Plan B ?! Maarten Litmaath (CERN)13

Plan B proposal Introduce a new, short-lived WLCG catch-all CA – It would issue SHA-1 certificates to any WLCG member whose CA no longer supports SHA-1 for new certificates Name space “*” Users Hosts, services – Its own cert would be distributed in addition to the IGTF CAs As used to be done for the FNAL KCA – Its lifetime would be 1 or 2 years, just to bridge the gap – It would need to be in place before Jan 2013 Unless IGTF shift their timeline – A significant effort … Our RFC and SHA-2 conversion efforts continue in parallel Maarten Litmaath (CERN)14

Discussion WLCG – EUGridPMA since 11 July 2012 Extension of WLCG running into 2013 – And then the data analysis and summer conferences Lots of concern about a WLCG Plan B – Non-unique names and clashes Lots of vetting to be done by WLCG – Risk to other EGI communities – EGI UMD 2.0 should be installed asap – Whatever happens we must work together and avoid a Plan B General agreement that the ability for users still to request SHA-1 certs during 2013 is essential Aug 2012SHA-2, TAGPMA15

EGI/WLCG Middleware releases gLite 3.2 – end of security support ranges from 30/4/12 to 31/10/12 depending on the component EMI 1 – end of security support 30/4/13 EMI 2 – first released 21/5/12 UMD 2.0 – the EGI middleware – rel. 2/7/12 – But no Workload Management UMD 2.1 – first with WMS – rel. 6/8/12 Aug 2012SHA-2, TAGPMA16

EGI and SHA-2 A document has been prepared (v1.1, Aug 2012) – EGI Action plan 1.SHA-2 readiness matrix (tech providers) 2.SHA-2 compliance validation (during provisioning) 3.Production testing of infrastructure (CSIRT) 4.Assessment of impact on Users (Portals, tools etc) Review after EUGridPMA Sep 2012 meeting Aug 2012SHA-2, TAGPMA17

IGTF SHA-1 risk assessment See slides shown by David Groep at the IGTF All Hands meeting (May 2012) A document (V0.3) came out of All Hands (link on All Hands agenda) several new elements were identified and added to the ToC We now need active contributors that write substantive elements of the actual risk assessment – in section 4, detailing the course of action for the IGTF and the CAs what will be done once SHA-1 is broken, and what actions do the CAs need to take? – in section 5, detailing the impact on the operational (grid) infrastructure which elements are likely to break when we (suddenly or scheduled) move to SHA-2, and how will RPs and subscribers be impacted? – in section 6 (new): which elements need to be tested beforehand? Aug 2012SHA-2, TAGPMA18

Discussion Aug 2012SHA-2, TAGPMA19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.