Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.

Slides:



Advertisements
Similar presentations
Updates from the EUGridPMA David Groep, March 8 th, 2010.
Advertisements

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
IST 535 Week 1 Class Orientation / Review of Web Basics.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.
CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Updates from the EUGridPMA David Groep, Apr 20 th, 2009.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/10/10.
Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
FTP (File Transfer Protocol) & Telnet
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
Browser Web Server Users DB 2a. Redirect to login page plugin 1. access a protected page Login Web Server (https) aislogin.cern.ch edh.cern.ch 3a. Set.
The CA Distribution Process David Groep, July 2007.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
TERENA TF-EMC2 Workshop David Groep,
UNLP CA (Argentina) Universidad Nacional de La Plata Was created as a national university in 1905 Is the 3rd largest.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Web Server Design Week 4 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/03/10.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
National Institute of Advanced Industrial Science and Technology Some topics from the OGF20 and the EUGrid PMA F2F Meeting Yoshio Tanaka Grid Technology.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
Web Server Design Week 13 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 4/7/10.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Updates from the European Side of the Pond David Groep, November 2006.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2012 Michael L. Nelson 02/07/12.
APGridPMA Update Eric Yen APGridPMA August, 2014.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Welcome to Amsterdam EUGridPMA35 September EUGridPMA Amsterdam 2015 meeting – 2 David Groep – Welcome back in Amsterdam.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Web Server Design Week 6 Old Dominion University Department of Computer Science CS 495/595 Spring 2006 Michael L. Nelson 2/13/06.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
Web Cacheability of CRLs David Groep, Jan 26 th, 2009.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
Presentation transcript:

Updates from the EUGridPMA David Groep, Nov 7 nd, 2008

TAGPMA ‘La Plata’ meeting – Nov David Groep – Updates Today  Towards EMEA coverage  Autonomous growth  Updates  AuthZ Operations WG  Repository issues

TAGPMA ‘La Plata’ meeting – Nov David Groep – Geographical coverage of the EUGridPMA  23 of 25 EU member states (all except LU, MT)  +AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CA, CERN (int), DoEGrids(US)* Pending or in progress  SY, MD, LV, ZA, SN

TAGPMA ‘La Plata’ meeting – Nov David Groep – More growth expected  Pending EUMedGrid countries: DZ, TN, LY, EG  New initative across the ‘silk road’ countries  Established by Ara Grigoryan and ArmeSFo  In collaboration with NATO programme

TAGPMA ‘La Plata’ meeting – Nov David Groep – ‘AuthZ op. policy WG’  Extending best practices to AA operations policy  operational AuthZ policies today are far less clear  but the minimum requirements on running an AA server may be quite similar to running a CA  ‘There is no other large group of experts out there waiting to take this on’, and we don’t need a parallel I*TF  But: scaling the model is quit different  Prototype version of a guideline at the Wiki ‘This is a draft document of the International Grid Trust Federation describing the minimum requirements for the operation of an Attribute Authority (AA) service. The AA service is run by or on behalf of a Grid Virtual Organisation (VO) and maintains attributes for registered VO users and/or VO services. Attribute assertions are securely delivered on request to members of the VO. They are presented by the user and/or service, together with an X.509 credential for authentication, for the purposes of Authorisation of access to a Grid resource.’

TAGPMA ‘La Plata’ meeting – Nov David Groep – Developments and discussion  Repository of “good” and “bad” CP/CPS examples  boilerplate text repository  On software used  Activity ‘owner’: Jens Jensen  Robot certificate  popularity of robot certs growing rapidly – action needed  pre-requisite for portal policies in EGEE and many NGIs  issued on a hardware token – cheap, safe and easy  Credential repository guidelines  Risks, solutions, and the dissemination thereof is lacking  Quick-scan of some MyProxy stores reveales ‘interesting’ things  Guidelines may help – especially for ‘trusted’ credential stores operated by the NGIs (or other persistent infrastructures)

TAGPMA ‘La Plata’ meeting – Nov David Groep – More items for discussion  End-of-life for 1024 bit RSA keys?  Might possibly impact performance (although many CAs are already 2048/4096 bits)  After a long discussion, figured that this is not our major issue for the moment  Emergency escalation contact procedure  Request all CAs to deposit an emergency contact process with the IGTF RAT and their Chair  Please implement robot certs as soon as possible  See the presentation later on how to do it  Hardware tokens, e.g. Aladdin eToken, readily available  Boiler-plate CP/CPS text available

TAGPMA ‘La Plata’ meeting – Nov David Groep – More items  Add more OIDs to your end-entity certs  At least the OID corresponding to the profile  More OIDs from 1SCPs that match  And more 1SCPs OIDs are being assigned  Already there: ‘private key is held on a token’ ‘I was F2F identity-vetted’ ‘I was vetter through a TTP’  New: ‘I am a Robot/automated client’, ‘I an a server/host cert’

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cachability, why? Downloads clustered in first seconds of the minute Statistics: downloads per day per CA distinct IP addresses average 4 downloads per day per host Data: DutchGrid CA

TAGPMA ‘La Plata’ meeting – Nov David Groep – Network traffic Site cache misconfigurations or new sites

TAGPMA ‘La Plata’ meeting – Nov David Groep – There Are Caches  Majority of IPs download individually every 6hours  But there are at least 300 sites that cache!

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cacheability  Good $ HEAD -S OK Cache-Control: max-age=3600 Connection: close Date: Wed, 05 Nov :31:48 GMT Accept-Ranges: bytes Server: Apache Content-Length: 4728 Content-Type: text/plain Expires: Wed, 05 Nov :31:48 GMT Last-Modified: Tue, 04 Nov :07:05 GMT Client-Date: Wed, 05 Nov :31:48 GMT Client-Response-Num: 1

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cacheability  Reasonable, but relies on remote site cache setup $ HEAD OK Connection: close Date: Wed, 05 Nov :15:02 GMT Accept-Ranges: bytes ETag: " b3a-1c7652c0" Server: Apache/ (Red Hat) Content-Length: Content-Type: text/plain; charset=UTF-8 Last-Modified: Wed, 09 Jan :31:31 GMT Client-Date: Wed, 05 Nov :15:02 GMT Client-Peer: :80 Client-Response-Num: 1

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cacheability  Update your CRL URL, but answer is reasonable  Update your CRL URL, answer wastes the cache $ HEAD HTTP/ Moved Permanently Date: Mon, 03 Nov :59:13 GMT Server: Apache Location: Content-Length: 247 Content-Type: text/html; charset=iso $ HEAD HTTP/ Found Date: Mon, 03 Nov :04:08 GMT Server: Apache/2.2.6 (Fedora) Location: Content-Length: 287 Connection: close Content-Type: text/html; charset=iso

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cacheability  Uncacheable (no Last-Modified nor Expires header) $ HEAD ' 200 OK Connection: close Date: Wed, 05 Nov :17:05 GMT Server: Apache/2.2.8 (Fedora) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8b Content-Length: 593 Content-Type: octet/stream Client-Date: Wed, 05 Nov :35:44 GMT Client-Peer: :80 Client-Response-Num: 1 Content-Disposition: attachement; filename="CNRS-Projets.crl"

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Cacheability  Just plain weird $ HEAD OK Cache-Control: max-age= Connection: close Date: Mon, 03 Nov :05:40 GMT Accept-Ranges: bytes Server: Apache Content-Length: 4505 Content-Type: text/plain Expires: Thu, 06 Nov :05:40 GMT Last-Modified: Tue, 28 Oct :42:44 GMT Client-Date: Mon, 03 Nov :05:40 GMT Client-Peer: :80 Client-Response-Num: 1

TAGPMA ‘La Plata’ meeting – Nov David Groep – Web Caching configuration (apache)  Apache 2.x configuration - within your (virtual) host section ExpiresActive On ExpiresDefault "access plus 1 hours" Options -Includes ExpiresActive On ExpiresDefault "access plus 1 days" Options -Includes

TAGPMA ‘La Plata’ meeting – Nov David Groep – IGTF Release Process and Web  Release Process  Releases moved to (preferably) Monday or Tuesday  More documentation of the process still needed  More checks are now built into the process (Debian!) End use:  Monitoring and alarms  Nagios: (guest/guest)  PMA Distribution Warnings by 4 times/day  It helps, but reaction to the warnings is down again …

TAGPMA ‘La Plata’ meeting – Nov David Groep – Changes to the Classic AP  See special presentation …

Some dates for you to remember and schedule  Jan 2009: 15 th, CyGrid, Nicosia, CY  May 2009: 16 th, SWITCH, Zurich, CH  Sept 2009: 17 th, DFN, Berlin, DE