Soapbox of Random Stuff

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Guidelines for attribute translation to X.509
Document update - what has happened since GGF11
WLCG Update Hannah Short, CERN Computer Security.
Jens Jensen EU Grid PMA, Berlin Jan 2015
Authentication, Authorisation and Security
EGI Updates Check-in Matthew Viljoen – EGI Foundation
P-p-pick up a Pathfinder
Third Party Transfers & Attribute URI ideas
J Jensen, STFC hepsysman, June 2017
AEGIS Certification Authority
GOCDB New Requirements
UK e-Science CA Update J Jensen, STFC 31 Jan 2017.
Identity Management and Authorization
Christos Kanellopoulos
Jens Jensen, STFC Sep EUGridPMA Manchester
CheckIn: the AAI platform for EGI
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Check-in Nicolas Liampotis
Virtual Face to Face Meetings for ID-check
Tweaking the Certificate Lifecycle for the UK eScience CA
Jens Jensen, STFC 15 Sep GridPP39, Lancaster
Chris Wendt, David Hancock (Comcast)
Identity Management and Authorization
Identity Management and Authorization
Update on EDG Security (VOMS)
The New Virtual Organization Membership Service (VOMS)
The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
RFC PASSporT Construction 6.2 Verifier Behavior
Communications IGTF RAT Comms Challenge 3 Fall 2015
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
AARC Blueprint Architecture and Pilots
UK e-Science CA and JCS Migration Status
Community AAI with Check-In
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Soapbox of Random Stuff UK e-Science CA Sept. 2016

Overview Adventures in RCauth land By extension, extensions Probably relevant since we covered RCauth at previous PMAs By extension, extensions SHA2 migration Renewals and video

RCauth

Example of using RCauth EUDAT is investigating whether it can use RCauth instead of its own in-house CA The remainder of this section is with EUDAT-as-a-RP-hat Need to satisfy both RCauth policy and IOTA/DOGWOOD E.g. RCauth does not require traceability, but IOTA does

EUDAT use of RCauth RCauth policy IOTA requirement Is the lifetime 400 days or 11 days (6.3.2) IOTA requirement “documented and verifiable relationship” B2ACCESS is only a proxy (cf. AARC MJRA1.4) External IdM External IdP B2ACCESS proxy RCauth No DaVR here except eduGAIN at best The DaVR is between B2ACCESS and RCauth as IdP and SP, resp.

EUDAT use of RCauth Need to check quite a few things (SIRTFI, R&S) EUDAT claims to be SIRTFI compliant but best to check whether it is actually happening  All portals must be PKPG compliant Of course a central MyProxy service might help here but this is not in the EUDAT AARChitecture Revocations EUDAT has a doc’d account deprovisioning process but otherwise no way of detecting “loss of traceability”

EUDAT use of RCauth Namespace: Namespace Can RPs disambiguate B2ACCESS-issued credentials from other-IdP-issued credentials? Accepting other credentials useful in some cases (B2STAGE), less so in others (GOCDB) Namespace Where’s the stuff required by DOGWOOD? Must be {O,CN}, but …?

EUDAT use of IOTA/DOGWOOD “Traceability of the credential is provided only in a cooperative way […]” So is traceability a requirement on the proxy? Proxy can (only) say “go ask over there” Authority must be told the originator IdP? Authority must have information to trace id with originator IdP (DW3.1, DW3.2)? “the identity management system via which the identity of this person was vetted” so must be originator IdP, not the proxy (DW3.2) “name [..] must contain sufficient information s.t. utilizing only this data, an enquiry via the issuer [RCauth] to the IdM”

EUDAT use of Rcauth – Constructing the CSR? Inconsistent use of O in EUDAT (user filled field… ), or does it come from FIMS? (i.e. O=B2ACCESS) Cf. Dogwood requirement (previous slide) Single CN (EUDAT has two, unique id and name/principal(?)) Risk of using non-ASCII UTF8? Originating IdP and identifier with originating IdP And the authorisation extensions, of course 

Interfacing and Performance EUDAT uses its own CA (née Contrail CA but much code has been replaced ) API is OAuth controlled Authorised portals have OAuth client ids DN is issued by token, DN in CSR is ignored  CA queries authorisation attrs. Proposed use of RCauth Heavily relying on MyProxy caches?! Needs GSI delegation also to add extns. Currently EUDAT (=Shiraz) is trying to set up a test Rcauth

Interfacing and Performance Options (Shiraz & Mischa) B2ACCESS as an IdP Preferred option as less work is required  However, RCauth performance not good enough  B2ACCESS as a master portal Shiraz says it requires changes in B2ACCESS  B2ACCESS as a VO

Extensions EUDAT needs extensions in short-lived EE certs Authorisation attributes Unfortunately a non-standard 1.3.6.1.4.1.3536(Globus).1.1.1.12 (But then so was VOMS, initially)

Extensions

Useful PKCS#10 extensions subjectAltName Accept requests for xple SANs User email addresses Hosts - increasingly required with Globus compliance with RFC2818 Would allow useful ext’ns in user SLCs Shorter proxy chains, too

Using OpenSSL … for requests And the section contains (e.g.) (e.g.) –reqexts req_section And the section contains (e.g.) 1.3.6…1.1.12=ASN1:UTF8String:${ENV::SAML} subjectAltName=DNS:xxx,DNS:yyy … for signing copy_extensions = copyall (in CA config section) Obviously all extensions should be filtered (allowed) and verified (by RA) NB! With copyall request extensions overrule configured extensions!

SHA2 migration

Document sent to IGTF Friday (and again Monday) Unsigned: https://cert.ca.ngs.ac.uk/sha2migration/sha2migration-1.6.pdf With signature: https://cert.ca.ngs.ac.uk/sha2migration/sha2migration-1.6.tar https://cert.ca.ngs.ac.uk/sha2migration/sha2migration-1.6.zip

SHA2 migration for subordinate CAs Several approaches are effective Resigning the CA certificate with SHA2 is not one of them Bad options: Resign the CA certificate with SHA2 Rekey (rollover) the CA certificate with SHA2 So-so options: Withdraw support for SHA1 signatures in mw. Better options: Rekey the root, and re-sign the subordinate

SHA2 signatures Suggestions Drop 2A (online) – no certificates on it any more Rekey root, and re-sign 2B with SHA2 under new root – best way to deal with issue (see doc) A compromise to mitigate against a compromise

Renewals and Video verification

Video verification of Id (JK+JJ) Can we have a demonstrator?!! Ideally before we approve the process  Both a genuine id and if possible a fake id (and independently, not by someone who does it for a living) Is the process recorded? Use of passport Too much information on passport (GDPR) processed Non-passport ids wouldn’t have verifiable features Giving away enough information for passport to be faked? Can people be trained in examining passports from all countries? Can the training be kept up to date? Are there so few that they have to process requests from several countries (= Chinese applying for UK cert and verified by authority in China)? … or just make it a lower LoA 

Video verifications (JK) Suggest it is OK for the following: User who has previously held certificate, but all the user’s certificates are expired or revoked User applies for same DN User still holds the same id that was in the original record RA still holds the original records and can compare (Obviously the id was originally checked in-person by RA or notary public as req’d by CEDAR)

Host Rekey (JK) Approval of host certificate rekey is normally routine In UK eSc CA, host certs rekey themselves “Need” for certificate usu. a given Similar risks to the 3 yr lifetime for hosts, only with slightly less risk Risks are not so much at issuance (processes deal OK with issuance), more down the road Proposal to auto-approve and notify RA instead of waiting for approval

View from a hard working CA  One CA operator’s card (used frequently) CA manager’s card (used less frq.)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.