Jens Jensen, STFC Sep. 2017 EUGridPMA Manchester Pathfinder Stuff Jens Jensen, STFC Sep. 2017 EUGridPMA Manchester

Contents AAAI Pathfinder Er, that’s it.

AAAI Pathfinder GridPP VOMS DiRAC, ARCHER X.509 SAFE ssh IdP

AAAI Pathfinder GridPP PRACE EGI, EUDAT, Indigo DC X.509 IdP

GridPP, EGI, PRACE, EUDAT, GlobusConnect(?) DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect(?)  VOMS

(links to) JISC and service AUP CRL (links to) CP and CPS Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificate Interface Acct DB Status (Re)new Revoke Management Interface (X.509 authenticated) Service API Forget

GridPP’s participation Work with Suleman Tariq CA portal (user interface) If you have an IdP in Assent, you can authenticate to https://pathfinder.stfc.ac.uk/moonshot/userreq.pl Not finished yet You can’t get a certificate (yet) Evaluated, but chose not to use MP client Chose not to use the CTS code No VOMS in interface; expecting attrs from Moonshot

Visiony Stuff Single identity provided by home org. Or a “homeless” org. Access to both web and non-web resources Chicken and egg takeup: More resources make having an IdP more attractive Use Pathfinder to provide resources

Technical Points Moonshot requires client side libs (mech_eap.so) X.509 certificates require higher LoA Aiming for BIRCH Need for IdP to communicate “loss of traceability” Infrastructure managed private keys Should improve usability

(Main) Risks (There is a proper risk register…) Not enough IdPs… Of a sufficient LoA (IGTF BIRCH) Need to sign a contract! (little assurance in Assent itself) IdP cannot notify on loss of traceability IGTF accreditation delayed Users still manage certs through browser!

Database

Current Status Trusted IdPs: managed manually (whitelist) in service No assurance in Assent Needs agreement (lawyers, legal) Compare UK eSc: HoD signed Option for individual user step up auc. Guidance from AARC? Needs to not just be a one off (traceability) Registration practices statement? Option for notification “step up” as well Complicated status: need UF indicator

Current Status – Person Unauthenticated person Authenticated person Authenticated from good org Or has step-up (see prev.) Authenticated from good org with good attrs Authenticated from good org with good attrs and notify on loss of traceability Authenticated from good org with good attrs and notify on loss of traceability and AUP/dataprot.-accept

Final steps Need approval from reviewers! MyProxy ∫ (à la CTS) No VOMS extensions though Not prod’n ready Temporary CA, database in cloud Writeup to be finished Still some funnies in the system 10-14 unauthorised requests are made before one is authorised(!) Still need the *!@^!^%& attributes! (see RFC 7056) Doesn’t pick up local biscuit even with IE Ensure logging is correct

Future directions ∫ with RCauth? Could support IOTA branch for < MICS Lots of Globus dependencies for MyProxy Will need to approve each IdP (Need to define process for doing so) And debug its attributes… Like, what is the User-Name (RFC 7056)