Assessing Combined Assurance

Slides:



Advertisements
Similar presentations
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
Advertisements

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
How to integrate portals with EGI accounting system R.Graciani EGI TF 2012.
Building Trust for Research and Collaboration
Bob Jones EGEE Technical Director
WLCG Update Hannah Short, CERN Computer Security.
Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC
OGF PGI – EDGI Security Use Case and Requirements
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Bring the WLCG federation Home
LCG Security Status and Issues
Christos Kanellopoulos
Building Interoperable Global Trust
CheckIn: the AAI platform for EGI
Tweaking the Certificate Lifecycle for the UK eScience CA
Boosting AAI for research and collaboration
The RCauth.eu CILogin-like TTS Pilot in EGI
Sustainability for the AARC CILogin-like TTS Pilot
EUGridPMA Status and Current Trends and some IGTF topics October 2017 APGridPMA Autumn Meeting David Groep, Nikhef & EUGridPMA.
Assessing Combined Assurance
Leveraging the IGTF authentication fabric for research
Leveraging the IGTF authentication fabric for research
Towards an Initial LoA Baseline Assurance Profile?
Evolving the EGI trust fabric using distributed responsibility
OIDC Federation for Infrastructures
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
Updated (VO) Community Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
RCauth.eu CILogon-like service in EGI and the EOSC
David Kelsey (STFC-RAL)
Introduction of ISO/IEC Identity Proofing
Community AAI with Check-In
AAI in EGI Status and Evolution
Combined Assurance Model
Federated Incident Response
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Assessing Combined Assurance Introducing composites of DOGWOOD and BIRCH/CEDAR in EGI and beyond David Groep Nikhef co-supported by the Dutch National e-Infrastructure coordinated by SURF, and by EGI Core Services

EGI Combined Assurance use case IOTA AP assurance level ‘DOGWOOD’ is different, but remainder of the assurance can be taken up somebody else – the user community or the registrar for the Access Platform Only thing you get is an opaque ID Stepping up to adequate assurance: Real names from pseudonyms Enrolling users in a community Keeping audit records Auditability and tracing Incident response Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control Evolving the EGI Trust Fabric - Bari 2015

The wLCG IOTA CA by-pass ‘lcg-CA’ or explicit configuration For EGI-only sites nothing changed For EGI sites also under wLCG policy and installed post-EGEE: just install both policy packages “egi-core” and “lcg” ca-policy-egi-core IGTF Classic ca-AEGIS … IGTF MICS ca-TCS IGTF SLCS ca-DFN-AAI ca-policy-lcg IGTF Classic ca-AEGIS … IGTF MICS ca-TCS IGTF SLCS ca-DFN-AAI ca-CERN-LCG-IOTA Evolving the EGI Trust Fabric - Bari 2015

Project MinE (ALS) use case Access traditional global grid resources from the CLI By users that have no PKIX experience but are all properly vetted and registered (in the SURFsara CUA) Case comparable to LHC VOs (and to ELIXIR) Give access based on DOGWOOD CUA ID – and prepopulate a VOMS server based on CUA details 15 November 2018 Leveraging the IGTF registration network for research

Leveraging the IGTF registration network for research Thanks to Mischa Sallé Interlude 15 November 2018 Leveraging the IGTF registration network for research

A proxy from the TTS: the ad-hoc way additional info: Mischa Sallé, msalle@nikhef.nl 15 November 2018 Leveraging the IGTF registration network for research

A one-time URL giving a shell script additional info: Mischa Sallé, msalle@nikhef.nl 15 November 2018 Leveraging the IGTF registration network for research

Register your ssh public key – like in gitlab, sourceforge, &c additional info: Mischa Sallé, msalle@nikhef.nl 15 November 2018 Leveraging the IGTF registration network for research

Hiding PKIX – just like KRB Implicit retrieval of proxies using ssh-agent Resulting proxies can decorated with VOMS without need for passphrases or other credentials Predictable RCauth subject naming (USR) allows pre-registering in VOMS, COmanage, &c additional info: Mischa Sallé, msalle@nikhef.nl 15 November 2018 Leveraging the IGTF registration network for research

Beyond DOGWOOD (CERN IOTA, RCauth, CILogon Basic) Old model: CERN STS tight VO binding model With the EGI and WLCG specific exception EGI combined assurance model Make assurance combination part of service AuthZ Implemented by major AuthZ frameworks: Argus (1.7.1+), LCMAPS, dCache (3.1+) Configuration shipped via EGI and WLCG But: which ‘other’ assurance providers qualify? 15 November 2018 Leveraging the IGTF registration network for research

Specific Delegated Responsibilities Need for proper traceability does not go away, so … who holds that information need not only be a traditional CA but can be another entity with similarly rigorous processes Some communities have an existing registration system that is very robust PRACE – in-person links at the home sites XSEDE – NSF grant approval process wLCG – CERN Users Office and HR Database Evolving the EGI Trust Fabric - Bari 2015

Distributed Responsibilities I: Trusted Third Party Evolving the EGI Trust Fabric - Bari 2015

Evolving the EGI Trust Fabric - Bari 2015 Distributed Responsibilities II: Collaborative Assurance & Traceability Evolving the EGI Trust Fabric - Bari 2015

Leveraging the IGTF registration network for research IOTA in the EGI context EGI – by design - supports loose and flexible user collaboration 300+ communities Many established ‘bottom-up’ with fairly light-weight processes Membership management policy* is deliberately light-weight Most VO managers rely on naming in credentials to enroll colleagues Only a few VOs are ‘special’ LHC VOs: enrolment is based on the users’ entry in a special (CERN-managed) HR database, based on a separate face-to-face vetting process and eligibility checks, including government photo ID + institutional attestations Only properly registered and active people can be listed in VOMS 15 November 2018 Leveraging the IGTF registration network for research

Developing an assessment framework 15 November 2018 Leveraging the IGTF registration network for research

Leveraging the IGTF registration network for research The need for guidance 15 November 2018 Leveraging the IGTF registration network for research

Assessment Matrix Mapping for PKIX/RFC3647 is trivial How to apply out BIRCH/CEDAR guidance to community registries? Relevant for COmanage & VOMS communities, but maybe wider? https://wiki.eugridpma.org/Main/AssuranceAssessment 15 November 2018 Leveraging the IGTF registration network for research

Building a global trust fabric Discussion! Building a global trust fabric Leveraging the IGTF registration network for research

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.