Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David Groep NIKHEF.

Slides:



Advertisements
Similar presentations
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Advertisements

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI Enabling Grids for E-sciencE Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
TERENA TF-EMC2 Workshop David Groep,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
Key management issues in PGP
Alternative Governance Models for PKI
Bob Jones EGEE Technical Director
OGF PGI – EDGI Security Use Case and Requirements
Extending host credential validity in presence of DCV & OV controls October 2016 TAGPMA24 meeting David Groep, Nikhef & EUGridPMA.
Levels of Assurance OGF Activity
Classic X.509 AP updates (v4.1)
LCG Security Status and Issues
Cryptography and Network Security
Ian Bird GDB Meeting CERN 9 September 2003
HellasGrid CA & euGridPMA
Authentication Applications
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tweaking the Certificate Lifecycle for the UK eScience CA
Public Key Infrastructure (PKI)
Assessing Combined Assurance
Assessing Combined Assurance
The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
MaGrid CA Self audit and update
Appropriate Access InCommon Identity Assurance Profiles
AAI in EGI Status and Evolution
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
Presentation transcript:

Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David Groep NIKHEF

Issues Authentication Linking Authentication and Portals a federated CA structure Identity vetting and ‘classic’ AP requirements Relying party requirements Certificate ‘classes’ Linking Authentication and Portals automated clients user credential caches AAI-backed Short-Lived Credential Service CAs TCG Portal WG: Issues in authentication

TCG Portal WG: Issues in authentication Authentication model Design and implementation choices made in production-oriented grids: focus on providing cross-national trust (initially in the context of the EU DataGrid and CrossGrid projects) National PKI in general uptake of 1999/93/EC and e-Identification is slow where available a national PKI could be leveraged, but not happened yet Various commercial providers Main commercial drive: secure web servers based on PKI Entrust, Global Sign, Thawte, Verisign, SwissSign, … primary market is server authentication, not end-user identities but use of commercial CAs solves the ‘pop-up’ problem ... so for (web) servers a pop-up free service is needed (i.e. SCS) on the other end of the spectrum: ‘grass-roots’ CAs usually project specific, and without any documented policies unsuitable for the ‘production’ infrastructure 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

The first grid authentication infrastructures Grid (academic) PKIs started off with pre-existing CAs, and some new ones, late 2000 ‘reasonable’ assurance level based on ‘acceptable’ procedures a single assurance level inspired by grid-relying party** requirements using a threshold model: minimum requirements Grid CA coordination driven by actual and current needs separation of AuthN and AuthZ allowed progress published policies convince resource providers to ‘trust’ CAs started with 6 authorities (NL, CZ, FR, UK, IT, CERN) a fundamentally federated (i.e. distributed) effort 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Federation Model for Grid Authentication authentication profiles distribution acceptance process relying party n CA n CA 3 relying party 1 A Federation of many independent CAs common minimum requirements (in various flavours) trust domain as required by users and relying parties where relying party is (an assembly of) resource providers defined and peer-reviewed acceptance process No strict hierarchy with a single top spread of reliability, and failure containment (resilience) maximum leverage of national efforts and complementarities 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

International Grid Trust Federation Federation of 3 Regional “PMAs”, that define common guidelines and accredit credential-issuing authorities TAGPMA EUGridPMA APGridPMA 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Grid Relying Parties & resource providers In Europe Enabling Grid for E-sciencE (EGEE) (~ 200 sites) Distr. Eur. Infrastructure for Supercomputer Apps (DEISA) (~15 sites) South Eastern Europe: SEE-GRID (10 countries) many national projects (NL BIG-GRID, VL-e, UK e-Science, Grid.IT, …) In the Americas EELA: E-infrastructure Europe and Latin America (24 partners) WestGrid (6 sites), GridCanada, … Open Science Grid (OSG) (~ 60 sites) TeraGrid (~ 10 sites + many users) In the Asia-Pacific AP Grid (~10 countries and regions participating, and growing) Pacific Rim Applications and Grid Middleware Assembly (~15 sites) data as per mid 2006 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Relying Party issues to be addressed Common Relying Party requests on the Authorities standard accreditation profiles sufficient to assure approximate parity effectively, a single level of assurance sufficed then for relying parties – is changing today, as more diverse resources are being incorporated monitor [] signing namespaces for name overlaps a forum [to] participate and raise issues [operation of] a secure collection point for information about CAs which you accredit common practices where possible list courtesy of the Open Science Grid 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

TCG Portal WG: Issues in authentication Pending requirements The CP/CPS MUST describe How the identity (DN) assigned in the certificate is unique within the namespace of the issuing CA How the identity (DN) assigned in the certificate will never be re-issued to another end entity during the lifetime of the CA How the CA attests to the validity of the identity In order for a (RA) to validate the identity of a person, the subject SHOULD contact the RA face-to-face and present valid government or employer issued photo-id and/or official documents. If face-to-face is not possible then the CP/CPS MUST describe: How the CA provides accountability, showing that they have verified enough identity information to get back to the physical person any time during the lifetime of the certificate. 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Building the federation Trust providers (‘CAs’) and relying parties (‘sites’) together shape the common requirements Several profiles for different identity management models Authorities demonstrate compliance with profile guidelines Peer-review process within the federation to (re-) evaluate members on entry & periodically reduces effort on the relying parties single document to review and assess for all CAs under a profile reduces cost for the authorities but participation does come at a cost of involved participation … Ultimate trust decision always remains with the RP An authority is not necessarily limited to just ‘grid’ use 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Guidelines: secured X.509 CAs Aimed at long-lived identity assertions, the ‘traditional PKI’ world Identity vetting procedures Based on (national) photo ID’s Face-to-face verification of applicants via a network of distributed Registration Authorities Periodic renewal (once every year) revocation and CRL issuing required and we have all RPs actually downloading the CRLs several times a day subject naming must be a reasonable representation of the entity name Secure operation off-line signing key or HSM-backed on-line secured systems Audit requirements data retention and audit trail requirements, traceability of certified entities Technical implementation need to limit the number of issuing authorities for technical reasons (most software and browsers cannot support O(1000) issuers) certificate profile and interoperability 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Short-lived or member integrated services Aimed at short-lived ‘translations’, that are organisation/federation bound Identity vetting procedures based on an existing ID Management system of sufficient quality Original identity vetting must be of sufficient quality to trace the individual for as long as name is in active use If documented traceability is lost, the subject name can never be re-used revocation and CRL issuing not required for assertion lifetimes << 1 Ms subject naming must be a reasonable representation of the entity name Secure operation HSM-backed on-line secured systems Audit requirements data retention and audit trail requirements, traceability of certified entities Technical implementation scaling of this model still needs to be demonstrated, and needs higher-level coordination most software and browsers cannot support O(1000) issuers and a peer-review based trust fabric cannot do that either … certificate profile and interoperability 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

ID management system requirements Technical and IT security requirements The identity management (IdM) system containing the identity information used to issue the assertions must meet the following conditions Re-usable private information used to authenticate end-entities to the IdM system must only ever be sent encrypted over the network when authenticating to any system (including any non-CA systems) that are allowed to use the IdM for authentication. A not-published second authentication factor must be used to authenticate the end-entity for certificate issuance The end-entities must be notified of any certificate issuance, using contact information previously registered in the IdM (for example by electronic mail) From the information stored in the IdM it must be possible to determine if the requestor’s identity has originally been validated using a face-to-face meeting as described above 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

ID management system requirements Identity vetting requirements convincing the world that you’re OK Documentation of how the IdM is populated, maintained and cleaned MUST be documented and agreed to by the PMA. Two modes By example: The IdM used by the CA should be a system that is also used to protect access to critical resources, e.g. payroll systems, for use in financial transactions, granting access to highly-valuable resources, and be regularly maintained. By review: Alternatively, equivalent security mechanisms must be provided, described in detail and presented to the PMA and are subject to PMA agreement. and again the data for those entities in the IdM that qualify for ‘MICS’ assertions must be of a quality that allows unique tracing, name uniqueness and persistency – and a mechanism to clean ‘stale’ entries must be defined. Example: the UvAmsterdam does not trust its own system even for grading! tries to ‘catch’ the quality of the system without having to report to formal audits initially, local systems need only be trusted internally policies usually not documented implicit LoA depending on application example: UvA blackboard: SSO not trusted for the actual grades! to go ‘outside’ (esp. internatioanlly, where implicit national assuptions may no longer hold): need to document specify LoA in an independent audit, or convince the ‘outside’ world based on your exampleapplications exmaple: MICS -> IdM also trusted for finance/salary/etc. 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Profile matrix: towards multiple LoAs All grid technical security mechanisms meet the technical protocol requirements of level 3 (but even soft tokens meet level 3 …) Identity vetting requirements for Classic and MICS meet ~ level ‘2 –’ only in-person allowed (remote option is not allowed, Authorities cannot check financial records &c) except that address and DoB are not necessarily retained by the RA to ease data protection issues, and copies not always retained but the ID number (and issuing country) is recorded, so ‘relevant’ agencies can get to the applicant VOs need to collect this information and more anyway for incident response Both more stringent and looser LoAs needed for other resource classes but e-Auth level 1 is too low, and NIST doesn’t define anything in between… 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

TCG Portal WG: Issues in authentication Users vs Hosts Profiles distinguish between 2-3 ‘classes’ Users high-quality identity vetting, so that the same subject name is quite surely bound to the person ‘all’ CAs under the classic profile meet this bar Hosts (or ‘service’, e.g. ‘CN=gatekeeper/ce.example.org’) the concept of ‘ownership’ of the (DNS) name is vague can be a group of system admins, where the local RA will ensure (‘somehow’, ‘vaguely’) that the requestor is authorized for some CAs, ‘service’ certificates can be requested by ‘service owners’, and no thorough checking is done with the system administrators assurance level for host and service certs is really bound to the use of the DNS name only when used outside securing TLS network-endpoint, the assurance level is ill-defined and varies widely across the IGTF 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

TCG Portal WG: Issues in authentication Hosts vs Robots If hosts/service assurance level is so ill-defined, what then? Raise the assurance level leads to intricate problems when used for the current purpose of securing network endpoints Look at the ‘automated client’ class identities for programs and services that act in an aotmated way towards the grid infrastructure concept introduced by Mike Helm in 2002 criteria developed by Jens (see next talk) not yet supported by all CAs, but interest is growing (actually, today only UK and NL do, with CZ coming up) 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Profile matrix: where we stand Multiple Authentication Profiles: where the IGTF stands today note: certificate classes are orthogonal to the Profiles Identity vetting With govt photo-ID Only by in-person F2F meeting of RA With govt photo-ID With proven documented traceability to individual at any time (no definite F2F requirement) … Subject: soft-tokens allowed Issuer: off-line or online HSM 140.2-3 Classic AP near-inline Id vetting Issuer: online HSM 140.2-3 ‘MICS’ (proposed) time-shifted Id vetting SLCS time-shifted Id vetting 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Evolution and revolution Each CA is independent constraints of manpower, local funding, national legislation &c compliance is to minimum requirements Introduction of new features through demand from within the subscriber base (per CA) most effective, especially if you bring along effort through cross-fertilisation by peer CAs also effective, but can take a lot of time if effort is lacking by raising the minimum requirements does not work well for this kind of innovation … 4 December, 20184 December, 2018 TCG Portal WG: Issues in authentication

Possible alternatives Current authentication landscape Service certs the CA may allow its use as an automated client but the infrastructures should be wary of accepting them! check of the policy may be needed i.e. in NL, the ‘hosts’ class identifies network endpoints, as the verification is limited to finding the appropriate system admin; in DoEGrids they are quite weakly linked User certs generate a proxy from the personal proxy of the portal owner needs the owner to regularly provide the passphrase but works in virtually all scenarios Robots certs (see Jens’ talk) where available (UK, NL, soon CZ) these are the preferred choice protects private key from abuse outside the portal system and, of course, these options can be mixed downside: requires new Grid AUP/Policies (but no new CA requirements) TCG Portal WG: Issues in authentication

Possible alternatives Traditional Portal approach Use the MyProxy solution all jobs are traceable to the requesting user portal MyProxy server becomes a valuable target entirely within the current policy space downside: ‘real’ users cannot handle any kind of credentials In a pervasive AAI environment (or in wonderland?) Federation backed SLCS integrated with the portal SWITCHaai-like solutions excellent for those countries that have a working AAI that actually reaches all your researchers (i.e. CH) Authorize to portal based on AAI account, then generate a cert on the fly form the SLCS service also entirely within current policy space not too many countries have something pervasive … TCG Portal WG: Issues in authentication

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.