David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323,

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
TERENA TF-EMC2 Workshop David Groep,
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
APGridPMA Update Eric Yen APGridPMA August, 2014.
Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC).
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
Building Trust for Research and Collaboration
Cross-sector and user-centric AAI
LCG Security Status and Issues
Building Interoperable Global Trust
Policy in harmony: our best practice
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI , and BiG Grid, the Dutch eScience Grid

The Need for a Global Trust Fabric International Grid Trust Federation More than one administrative organisation More than one service provider participates in a single transaction More than one user in a single transaction More than one authority influences effective policy Single interoperating instance at the global level

Overlapping Communities – Common Trust International Grid Trust Federation Goals allow multiple sources of authority: User, Institute, Community acknowledge both long- and short-term community structures enable security incident response and containment balance data protection and right to privacy to provide basis for access control decisions by resources and communities Reduce over-all policy burden by adhering to common criteria

Attributes and Access Control International Grid Trust Federation Several communities have complementary information for a user Access control based on policy expressed in these attributes, including the ID attributes will need to be linked link identifier to provide persistency

Requirements on a trusted source International Grid Trust Federation Incident Response long-term* traceable independent from short-lived community must be revocable correlate with other information sources banning and containment handle Privacy and data protection important ‘unalienable right’ for research correlation of PII among service providers could allow profiling exchange of PII often fraught with issues Measurement and Accounting publication metrics usage metering, billing auditing and compliance monitoring A common ID must live in a policy ecosystem to protect participants and to limit its use to specific purposes Access Control Attribute handle unique binding never re-assigned

Elements of Trusted Identity 1.Vetting and assurance – for identity and attributes – vetting rules and data quality – expiration and renewal – revocation and incident containment 2.Operational requirements for identity providers – operating environment and site security – staff qualification and control 3.Publication and audits – openness of policy, practices and meta-data – review and auditing 4.Privacy and confidentiality guarantees 5.Compromise, disaster recovery and business continuity International Grid Trust Federation OGF CAOPS-WG: Authentication Profile Structure, WG draft

Assurance levels Trust in the assertions by resource and service providers is key Until now, our e-Infrastructure used a single ‘level’ – there are well-known ‘government’ standards for LoA (US: OMB M & NIST SP800-63) – but 95/46/EC and 1999/93/EC are not of much use to us and the Nice treaty states that identity is a national matter … – there is rough but not 1:1 correspondence between balanced needs of the providers and users and the NIST LoA levels International Grid Trust Federation

Authentication Assurance – SP LoAID vettingTechnical controls 1- noneno plaintext transmission 2inperson:photo-ID and address remote: two independent factors (photo-ID & finances) which is checked at the source, and confirmed to address on record password, pin or better, but verified directly & only with the credential issuer 3inperson:photo-ID and address that is checked against its authoritative source remote: like LoA2, but stronger consistency two-factor from private key, one-time password, or secure hardware token 4inperson:two photo-ID documents and taking of a new biometric remote: - not allowed two-factor, with at least a qualified secure hardware token at FIPS-140 L International Grid Trust Federation Remote authentication over a network LoA2 ‘in person’ is usually strong enough, but auditing is commonly done based on a well-understood principles in the world of scholarly research: peer review and scrutiny

IGTF Assurance Levels Type and classification of e-Infrastructure services drives the level of assurance required Security and assurance level set to be commensurate – not overly high for ‘commodity’ resources – not too low, as providers otherwise start implementing additional controls on top of and over the common criteria – defined in collaboration with resource providers – using transparency and a peer review processes – leveraging our own community organisation mechanisms International Grid Trust Federation

Establishing the IGTF – EU AP TAG EU DataGrid established Coordination Group in 2000 Global need resulted in the 2003 Tokyo Accord With start of production e-Infrastructures – EUGridPMA established with DEISA, EGEE, SEE-GRID, and TERENA (TACAR) as relying parties and national identity providers in 2004, with e-IRG endorsement – APGrid and PRAGMA establish the APGridPMA – Canada, EELA-countries and USA IdPs establish TAGPMA Consistent guidelines and service provider involvement International Grid Trust Federation

Global Trust 86 accredited authorities from 53 countries and economic regions

Structure of Trust Common criteria and model – globally unique and persistent identifier provisioning – not fully normative, but based on minimum requirements Trust is technology agnostic – technology and assurance ‘profiles’ in the same trust fabric – ‘classic’traditional public key infrastructure – ‘MICS’dynamic ID provisioning leveraging federations – ‘SLCS’on-demand short-lived token generation a basis for ‘arbitrary token’ services – new profiles International Grid Trust Federation

IGTF Common Criteria International Grid Trust Federation

Assurance levels in the IGTF Technical and operational controls Authorities come in two basic flavours – off-line (only used in ‘traditional’ PKI): human controls and air-gap security provide protection against attacks – on-line infrastructure (federation-backed, SLCS and classic): valuable security material is network connected need compensatory controls: secure hardware, compliant to FIPS level 3 additional layered network security Technical requirements apply to any attribute source – such as community registries like ‘VOMS’ International Grid Trust Federation

Vetting Assurance Levels Identity controls and vetting long-term traceable assurance (classic, MICS) – based on in-person checking of (nationally defined) official identity documents – recorded identity persists beyond the moment of issuance – assertions can live for a long time (over a year) to facilitate long- term use – but compromise may happen, so is revocable momentary assurance (SLCS) – traceability to a physical person for at least one year – may use any vetting mechanism that assures that traceability – but assertions are limited in time to 24 hours (unless revocable, in which case: 11 days) International Grid Trust Federation

Building trust – an exercise in scaling Accreditation process – Extensively documented public practices (CP/CPS, RFC3647) – Interviewing and scrutiny by peer group (the PMA) – Assessment against the Authentication Profiles – Technical compliance checks (RFC5280 and GFD.125) Periodic, peer-reviewed, self-audits – Based on Authentication Profiles, standard reference: GFD.169 – OGF & IGTF, inspired by NIST SP800-53/ISO:IEC Federated assessment methodology by region (IGTF) International Grid Trust Federation

Federated Identity in Europe Today International Grid Trust Federation Map colour coding Green: classic accredited authority Blue: classic + federated authority Yellow: pending classic accreditation Also in Australia: ARCS SLCS, in USA: CILogon Federated ‘translating’ authorities: integrity requirements propagate to all data sources e.g. TERENA Certificate Service qualifying Federations IdPs meet all IGTF requirements and TCS provides instant access to globally trusted identities

Beyond identity Many attributes come in to an authorization decision – identity, community, group membership, roles, position,... – the ‘other attributes’ are important for contextual control and thus of importance beyond only resource providers Operational requirements translate easily to any kind of attribute source Operational and assurance requirements apply where assertions are bridged such as in the STS International Grid Trust Federation

Carrying assertions across domains Service access crosses technology and domain boundaries and may need translating in a Security Token Service (STS) – trust relationship – operational requirements International Grid Trust Federation GEMBus image by Diego Lopez, RedIRIS and GEANT, 22 nd EUGridPMA meeting EMI STS image by Christoph Witzig, SWITCH and EMI, 22 nd EUGridPMA meeting Requirements on assurance level operational security auditing, data protection and transparency of process all remain STS examples: GEMBus, EMI-STS,...

Common Criteria and Diversity Up till now... – providers of compute and storage services in e-Infra able to agree single ‘least common denominator’ – many content-only (web site) providers could live with lower assurance and asked no real LoA requirements...but this may be changing more diverse content and services being offered – via many mechanisms, both web and non-web – may need diversifying not only technology, but also LoA International Grid Trust Federation

So why IGTF? Trust is technology independent Agreeing on common minimum requirements on global scale – facilitates interoperation across infrastructures – significantly reduces potential for failures and obstacles for interop Participative model, including major relying parties and national representatives, ensures commensurate security level – the single assurance level is convenient, but the world will likely diversify – the IGTF assurance levels will follow and adapt as a result – as well as expand to address changing technologies Defining assurance requirements need strong involvement by relying parties, resource providers and users

International Grid Trust Federation – EUGridPMA European Policy Management Authority for grid authentication in e-Science – International Grid Trust Federation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.