NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

Slides:



Advertisements
Similar presentations
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
CAs, RAs & PMAs CAs, RAs & PMAs Roberto Cecchini INFN CA Manager EUIndiaGrid kick-off Trieste, 19/10/06.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
John DYER 2 nd NREN – Grids Workshop 17 October 2005, Schiphol. 1 Second NREN – Grids Workshop John DYER TERENA Schiphol, Amsterdam 17 October 2005.
TERENA TF-EMC2 Workshop David Groep,
Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
Jimmy C. Tseng Assistant Professor of Electronic Commerce
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Distribution Repository Structure David Groep,
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.
APGridPMA Update Eric Yen APGridPMA August, 2014.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
QuoVadis accreditation with EuGridPMA Alessandro Usai
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
© 2007 Open Grid Forum Authentication Service Profile Christos Kanellopoulos 14 th EUGridPMA, Lisbon, PT October 7 th, 2008.
Classic X.509 AP updates (v4.1)
Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL.
LCG Security Status and Issues
Building Interoperable Global Trust
HellasGrid CA & euGridPMA
SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November.
جايگاه گواهی ديجيتالی در ايران
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
Presentation transcript:

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET

Contents ● The technology ● NREN support for Grids ● Lessons learned

PKI-COORD ● not a real success for PKI – never achieved the PMA stage – root CA not acceptable, bridges too complicated – issuing user certificates is hard – no “killer application” ● concluded with “PKI is dead (again)” – at least for user authentication

Grid PKI ● running PKI demanded by Grid software ● initially a “small” community ● a concrete goal to run a Grid project – many CAs operated by national grid projects

Grid PKI characteristics ● Globus Toolkit 2.x (OpenSSL based) ● Entities identified by certificate Subject ● Dynamic hierarchies not supported – (no dynamic CRL download) ● Only a part of certificate content used ● Specific CN syntax + semantics (CN=ldap/ldap.host.domain)

EUGridPMA ● started as EU DataGrid CA group in 2001 ● coordination of Grid PKI ● currently almost 40 CAs issuing end entity certificates from 3 continents – 4 of them provided by NRENs ● CESNET, SWITCH, DFN, NIIF, (SURFnet coming soon)

EUGridPMA architecture ● List of trusted CAs (no root, no bridges...) ● One CA per country, region, or international organization ● Namespace assignment for each CA ● Part of IGTF (International Grid Trust Federation) ● TACAR as trusted repository ● Maintainer of the Classic PKI Authentication Profile (aka “minimum requirements”)

Classic PKI Authentication Profile ● CP, CPS ● Identity verification rules ● Operation (incl. certificate profile) ● Site security ● Requirements on repositories ● Audits ● Privacy and confidentiality ● Compromise and disaster recovery

EUGridPMA accreditation ● Accreditation Procedures ● CP/CPS review ● Self-auditing, peer auditing ● Personal presence at EUGridPMA meetings

New items ● OCSP – support for dynamic CA hierarchies ● Unification of CPs – OIDs for Authentication Profiles – One Statement Policies ● more information for RP

Grid CA operated by NREN ● need to follow Grid PKI requirements – some of them apply to other OpenSSL-based applications anyway ● possibility to influence Grid PKI ● requirements of “really relying” relying parties ● sharing experience among CAs => PKI testbed driven by users

Grid CA operated by NREN - benefits ● possibility for one PKI for both Grids and non-Grid applications ● ID management run by dedicated body

Beyond the classic PKI ● Short-lived certificates issued by SICS (site integrated certificate services) ● NRENs building AAI same goal – same infrastructure?

Lessons learned ● PKI is too complicated to succeed without demanding users ● PKI is too complicated to be run by non- dedicated bodies ● both Grid and non-Grid users can benefit from using common PKI

Lessons learned? ● AAI is too complicated to succeed without demanding users ● AAI is too complicated to be run by non- dedicated bodies ● both Grid and non-Grid users can benefit from using common AAI

References ● EUGridPMA ● IGTF

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.