5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

Slides:



Advertisements
Similar presentations
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Password?. Project CLASP: Common Login and Access rights across Services Plan
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
WP7 Security Coordination 23/24 Jan 2002 David Kelsey CLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK
David Kelsey CLRC/RAL, UK
David Kelsey CCLRC/RAL, UK
R-GMA Security Principles and Plans
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Update on EDG Security (VOMS)
Presentation transcript:

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest2 Outline WP6 CA group (Authentication) WP6 Authorisation group WP7 Security Coordination Group (SCG) Summary and issues

5-Sep-02D.P.Kelsey, Security Summary, Budapest3 WP6 CA group Status –New “Minimum requirements for a CA” for TB2 More on RA procedures Network connected CA allowed in some circumstances –CrossGrid German/Karlsruhe CA approved Greece, Poland and Slovakia under consideration CERN, FNAL and others proposing a Kerberos-based CA –Long-lived credentials are Kerberos based –KCA then issues short-lived X.509 certs Collecting statistics of issued certificates Good progress on acceptance matrix –Automatic extraction of features where possible

5-Sep-02D.P.Kelsey, Security Summary, Budapest4 WP6 CA (2) Scaling to LCG Data Challenges –Atlas DC1 the most urgent –Request to add new CA’s Australia, Canada, Japan + many more We will provide better documentation on the CA acceptance procedure –Interim approval possible via –Final approval requires presentation at a CA mtg BUT –We aim to establish “trust” such that Grid sites will accept the use of PKI – this is not easy! –Heavy requirement on robust procedures Including the registration authorities (to confirm identity) Sites will not “trust” the use of PKI if we grow too quickly

5-Sep-02D.P.Kelsey, Security Summary, Budapest5 WP6 Authorisation Group See Luciano Gaido’s slidesslides

5-Sep-02D.P.Kelsey, Security Summary, Budapest6 WP7 Security Coord Group D7.5 - Security Requirements and TB1 (complete) D7.6 - Security Design and TB2 (January 2003) –Akos Frohner (CERN) – rep on ATF Security components –VOMSwith WP6Auth/WP2 Attributes: VO, role(s), group(s), validity – signed by VO –GACL(WP6 - McNab) –SlashGrid(WP6 - McNab) For dn-based grid homefile system –LCAS, LCMAPS (WP4) –WP2 Security –ACL’s and security elsewhere (WP1,WP3,WP5,…) Need to verify/audit security design and implementation

5-Sep-02D.P.Kelsey, Security Summary, Budapest7 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Coarse-grained e.g. CE, Gatekeeper WP4 Fine-grained e.g. SE, /grid WP5 Java C Authorisation authenticate acl

5-Sep-02D.P.Kelsey, Security Summary, Budapest8 VO management (WP6/LCG) Security groups are concerned about the procedures used to Check/Register users in VO’s Authorisation more important than Authentication –Gives access to resources! CA’s do not check the right to use resources Sites need to be convinced of VO procedures to establish “trust” VO RA needs to reliably confirm –Right to join VO, i.e. identity –That the user rightfully owns the certificate (?) BUT…. Ideally, VO’s should be “easy” to create and manage Will suggest “Minimum requirements” and procedures for creating and operating a VO

5-Sep-02D.P.Kelsey, Security Summary, Budapest9 Summary & issues Authenticationunder control –BUT … Problems of scaling to LCG (work with VOs/LCG) –Will sites “trust” the use of PKI (security of private keys)? Authorisation –Improved VO LDAP for TB2 –New VOMS – first implementation for TB2 (coarse grain) –Fine grained (ACL’s) coming –Need to work more on ACL management –Need more work on VO management and procedures WP1 – publish list of ACL’s to the RB – is this OK? Working with WP10 (2 and 5) on medical security requirements Resource situation –WP2, WP6, WP7 and others all contributing –Authorisation group partially funded by DataTag –BUT, we need to work more on ACL’s