5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
5-Sep-02D.P.Kelsey, Security Summary, Budapest2 Outline WP6 CA group (Authentication) WP6 Authorisation group WP7 Security Coordination Group (SCG) Summary and issues
5-Sep-02D.P.Kelsey, Security Summary, Budapest3 WP6 CA group Status –New “Minimum requirements for a CA” for TB2 More on RA procedures Network connected CA allowed in some circumstances –CrossGrid German/Karlsruhe CA approved Greece, Poland and Slovakia under consideration CERN, FNAL and others proposing a Kerberos-based CA –Long-lived credentials are Kerberos based –KCA then issues short-lived X.509 certs Collecting statistics of issued certificates Good progress on acceptance matrix –Automatic extraction of features where possible
5-Sep-02D.P.Kelsey, Security Summary, Budapest4 WP6 CA (2) Scaling to LCG Data Challenges –Atlas DC1 the most urgent –Request to add new CA’s Australia, Canada, Japan + many more We will provide better documentation on the CA acceptance procedure –Interim approval possible via –Final approval requires presentation at a CA mtg BUT –We aim to establish “trust” such that Grid sites will accept the use of PKI – this is not easy! –Heavy requirement on robust procedures Including the registration authorities (to confirm identity) Sites will not “trust” the use of PKI if we grow too quickly
5-Sep-02D.P.Kelsey, Security Summary, Budapest5 WP6 Authorisation Group See Luciano Gaido’s slidesslides
5-Sep-02D.P.Kelsey, Security Summary, Budapest6 WP7 Security Coord Group D7.5 - Security Requirements and TB1 (complete) D7.6 - Security Design and TB2 (January 2003) –Akos Frohner (CERN) – rep on ATF Security components –VOMSwith WP6Auth/WP2 Attributes: VO, role(s), group(s), validity – signed by VO –GACL(WP6 - McNab) –SlashGrid(WP6 - McNab) For dn-based grid homefile system –LCAS, LCMAPS (WP4) –WP2 Security –ACL’s and security elsewhere (WP1,WP3,WP5,…) Need to verify/audit security design and implementation
5-Sep-02D.P.Kelsey, Security Summary, Budapest7 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Coarse-grained e.g. CE, Gatekeeper WP4 Fine-grained e.g. SE, /grid WP5 Java C Authorisation authenticate acl
5-Sep-02D.P.Kelsey, Security Summary, Budapest8 VO management (WP6/LCG) Security groups are concerned about the procedures used to Check/Register users in VO’s Authorisation more important than Authentication –Gives access to resources! CA’s do not check the right to use resources Sites need to be convinced of VO procedures to establish “trust” VO RA needs to reliably confirm –Right to join VO, i.e. identity –That the user rightfully owns the certificate (?) BUT…. Ideally, VO’s should be “easy” to create and manage Will suggest “Minimum requirements” and procedures for creating and operating a VO
5-Sep-02D.P.Kelsey, Security Summary, Budapest9 Summary & issues Authenticationunder control –BUT … Problems of scaling to LCG (work with VOs/LCG) –Will sites “trust” the use of PKI (security of private keys)? Authorisation –Improved VO LDAP for TB2 –New VOMS – first implementation for TB2 (coarse grain) –Fine grained (ACL’s) coming –Need to work more on ACL management –Need more work on VO management and procedures WP1 – publish list of ACL’s to the RB – is this OK? Working with WP10 (2 and 5) on medical security requirements Resource situation –WP2, WP6, WP7 and others all contributing –Authorisation group partially funded by DataTag –BUT, we need to work more on ACL’s