Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL
International Grid Trust Federation IGTF Purpose: Manage authentication services for global computational grids via policy and procedures IGTF goal: harmonize and synchronize member PMAs policies to establish and maintain global trust relationships IGTF members: 3 regional Policy Management Authorities EUgridPMA APgridPMA TAGPMA
IGTF
IGTF general Architecture The member PMAs are responsible for accrediting authorities that issue identity assertions. The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. Proposed changes to an AP will be circulated by the chair of the PMA managing the AP to all chairs of the IGTF member PMAs. Each of the PMAs will accredit credential-issuing authorities and document the accreditation policy and procedures. Any changes to the policy and practices of a credential-issuing authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
EUGridPMA members and applicants Green: EMEA countries with an Accredited Authority 23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RU, TR Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all
EUgridPMA Membership Under “Classic X.509 secured infrastructure” authorities accredited: 38 (recent additions: CERN-IT/IS, SRCE) active applicants: 4 (Serbia, Bulgaria, Romania, Morocco) Under “SLCS” accredited: 0 active applicants: 1 (SWITCH-aai) Under MICS draft none yet of course, but actually CERN-IS would be a good match for MICS as well Major relying parties EGEE, DEISA, SEE-GRID, LCG, TERENA
Map of the APGrid PMA General Membership U. Hong Kong (China) U. Hyderabad (India) Osaka U. (Japan) USM (Malaysia) Ex-officio Membership APAC (Australia) CNIC/SDG, IHEP (China) AIST, KEK, NAREGI (Japan) KISTI (Korea) NGO (Singapore) ASGCC, NCHC (Taiwan) NECTEC, ThaiGrid (Thailand) PRAGMA/UCSD (USA)
APgridPMA Membership 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) Will be in operation NCHC (Taiwan) NECTEC (Thailand) 1 CA under review NGO (Singapore) Will be re-accredited KISTI (Korea) Planning PRAGMA (USA) ThaiGrid (Thailand) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia)
TAGPMA
TAGPMA Membership Accredited Relying Parties In Review Argentina UNLP Brazilian Grid CA CANARIE (Canada)* DOEGrids* EELA LA Catch all Grid CA ESnet/DOE Office Science* REUNA Chilean CA TACC – Root In Review FNAL Mexico UNAM NCSA – Classic/SLCS Purdue University TACC – Classic/SLCS Venezuela Virginia USHER Relying Parties Dartmouth/HEBCA EELA OSG SDSC SLAC TeraGrid TheGrid LCG *Accredited by EUgridPMA
Recent Mapping Exercises Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile IGTF Classic Profile against C-4
Mapping Designations Seven (7) designations used to characterize the equivalency Exceeds - The ENTITY CP policy provides a higher level of assurance/security than the Federal CP requirement Equivalent - The ENTITY CP policy provides exactly the same assurance/security as the Federal CP requirement. Comparable - The ENTITY CP contains dissimilar policy contents, but provides a comparable level of assurance to meet the security to the Federal CP requirement. Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement. Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement. Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way. N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.
Mapping Results C-4 against IGTF Classic Profile 30 policy points evaluated 14 Comparable designations 12 Partial designations 3 Not Comparable designations 1 Not Applicable designation
Mapping Results FBCA General against IGTF Classic Profile Basic LOA used for Comparisons 136 policy points evaluated 22 Comparable designations 33 Partial designations 12 Not Comparable designations 65 Missing designations 3 Not Applicable designations
Mapping Results IGTF Classic Profile against C-4 30 policy points evaluated 19 Comparable designations 1 Partial designation 10 Exceeds designations
Proposed Inter-federations CA-2 CA-1 HE BR AusCert CAUDIT PKI CA-n NIH HE JP FBCA Cross-cert Cross-certs C-4 DST ACES Texas Dartmouth HEBCA Cross-certs IGTF Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3
FPKI High HEBCA/USHER Medium Hardware CBP High Medium Software CBP Medium Basic Basic Rudimentary Rudimentary IGTF C-4 Classic Ca SAML Foundation MICS SLCS Username/Password Username/Password
For More Information IGTF Website: http://www.gridpma.org/ TAGPMA Website: http://www.tagpma.org/ Scott Rea - Scott.Rea@dartmouth.edu