AuthN Middleware Requests

Slides:

Advertisements

Similar presentations

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Advertisements

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Release & Deployment ITIL Version 3

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

The CA Distribution Process David Groep, July 2007.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Pilot Jobs John Gordon Management Board 23/10/2007.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Distribution Repository Structure David Groep,

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.

Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

Seifenkasten Jens Jensen Berlin PMA, Jan Jens Jensen, STFC/RAL CA processes – overview Key generation and storage (qv) Receiving requests (CSR,

IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.

1 Digital Signatures – A Global Challenge Joachim Lingner Software Engineer Sun Microsystems 1.

AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.

Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.

Requirements Gathering

Document update - what has happened since GGF11

AuthN and AuthZ in StoRM A short guide

Jens Jensen EU Grid PMA, Berlin Jan 2015

Expired Survey Results as of

J Jensen, STFC hepsysman, June 2017

GOCDB New Requirements

Classic X.509 AP updates (v4.1)

Update on SHA-2 and RFC proxy support

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Tweaking the Certificate Lifecycle for the UK eScience CA

Update on EDG Security (VOMS)

SharePoint-Hosted Apps and JavaScript

The New Virtual Organization Membership Service (VOMS)

EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW

APNIC Trial of Certification of IP Addresses and ASes

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Communications IGTF RAT Comms Challenge 3 Fall 2015

Resource Certificate Profile

SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam

Update - Security Policies

AARC Blueprint Architecture and Pilots

OIDC Federation for Infrastructures

and the SHA-1 depreciation time line and status

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

GFD.125 bis March 13, 2012 Oxford, UK David Groep, Nikhef

OCSP Requirements GGF13.

Presentation transcript:

AuthN Middleware Requests compiling the wish list for authN functionality for EGI David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2

Establishing identity in EGI Why, and Why Now? Trust anchor releases repeatedly run into ‘trouble’ in deployment inconsistencies in the distribution itself (1.39/1.41) increasing number of trust anchors supposedly-standard features not supported in M/W Middleware behaviour ‘suddenly’ changes use of namespaces RPDNC format in VOMS/Admin implemented in 2009 appeared in production in 2011 http://indico.cern.ch/getFile.py/access?contribId=16&resId=9&materialId=slides&confId=73381 changes are useful, but not always sufficiently-well advertised 2010-11-25 Establishing identity in EGI

Establishing identity in EGI More reasons why Operational issues CRL downloading and checking is not reliable lots of superfluous downloads in recent EGI ops VO incident, revocation did not take effect at some sites even after 18 hours Future hazards try to prevent spreading of NSS library use in m/w since this is dangerous for scalability and stability re-confirm adherence to CBP’s and standards 2010-11-25 Establishing identity in EGI

My Wish List: functionality Support throughout all middleware for SHA-2 starting December 2012, SHA-2 based certs may start to appear 'in the wild' without further warning… Support for OCSP allowing for *both* use of AIA in the EE certificates itself, and for site-configured trusted responders Support any number of CAs Failures should be graceful incorrect or expired data for a single trust anchor MUST NOT affect the other trust anchors in the set 2010-11-25 Establishing identity in EGI

Establishing identity in EGI Wish List: compliance honour meaning and scope on extensions an attribute that says emailProtection is to protect email, not for signing documents, etc. accept RFC3820 proxies everywhere and do the proper thing for proxyPathLen constraints beware of NSS again! allow CRL files to be updated on a file system be prepared to re-read such files and implement new CRL contents at any time 2010-11-25 Establishing identity in EGI

Wish List: don’t break it! Support drop-in (directory based) trust anchor distributions, and continue to do so no monolithic databases please, no NSS on disk Announce semantic changes to EGI/NGI&IGTF e.g. moving to namespaces needs prep for RPs document, and tell which component does what contribute to the drafting of a new standard for an RPDNC language, based on the GFD.189 analysis participate in CAOPS 2010-11-25 Establishing identity in EGI

Where does the wish list go? via EGI TCB to the middleware providers with which EGI has an MoU EMI – harmonize the stack, and define functional unity in any Common Authentication Library IGE – is consistent, but needs OCSP support; and beware of NSS in moving to Fedora discuss next week at EMI All Hands meeting 2010-11-25 Establishing identity in EGI

Establishing identity in EGI Did I miss something? Please add Real Soon, so that it can be considered by EGI 2010-11-25 Establishing identity in EGI