Www.egi.eu EGI-InSPIRE RI-261323 EGI.eu European Grid Infrastructure www.egi.eu EGI-InSPIRE RI-261323 Credential Validation Middleware Requests compiling.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EG recent developments T. Ferrari/EGI.eu ADC Weekly Meeting 15/05/
HEPKI-TAG UPDATE Jim Jokl University of Virginia
The CA Distribution Process David Groep, July 2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI SA2 services evolution (after the end of EGI-InSPIRE) Peter Solagna, Michel.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Distribution Repository Structure David Groep,
Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Ops Portal New Requirements.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Requirements Status EGI.eu UCB
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI UMD Roadmap Steven Newhouse 14/09/2010.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Status of ARGUS support Peter Solagna – EGI.eu.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GLUE 2: Deployment and Validation Stephen Burke egi.eu EGI OMB March 26 th.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Introduction of SHA-2 in the EGI Infrastructure David Groep, EGI-IGTF Liaison.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
IGTF Risk Assessment Team 5/11/091.
IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI SA1.2 Plans 2013 Security Operations David Kelsey (STFC) 26/02/2013 Operations.
Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.
TAG Presentation 18th May 2004 Paul Butler
Document update - what has happened since GGF11
AuthN and AuthZ in StoRM A short guide
TAG Presentation 18th May 2004 Paul Butler
APNIC Trial of Certification of IP Addresses and ASes
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW
APNIC Trial of Certification of IP Addresses and ASes
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Communications IGTF RAT Comms Challenge 3 Fall 2015
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
AuthN Middleware Requests
Presentation transcript:

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling the wish list for authN functionality for EGI David Groep, Nikhef and BiG Grid, the Dutch NGI, for EGI.eu global task O-E-15 This work is supported by EGI-InSPIRE (RI ) under NA2

EGI-InSPIRE RI Why, and Why Now? Trust anchor releases repeatedly run into ‘trouble’ in deployment –inconsistencies in the distribution itself (1.39/1.41) –increasing number of trust anchors –supposedly-standard features not supported in M/W Middleware behaviour ‘suddenly’ changes –use of namespaces RPDNC format in VOMS/Admin implemented in 2009 appeared in production in –changes are useful, but not always sufficiently-well advertised EGI Authentication Validation Wish List

EGI-InSPIRE RI More reasons why Operational issues –CRL downloading and checking is not reliable –lots of superfluous downloads –in recent EGI ops VO incident, revocation did not take effect at some sites even after 18 hours Future hazards –try to prevent spreading of NSS library use in m/w since this is dangerous for scalability and stability –re-confirm adherence to CBP’s and standards EGI Authentication Validation Wish List

EGI-InSPIRE RI Effect of revocation... EGI Authentication Validation Wish List graphic: Sven Gabriel,Nikhef, for EGI.eu under contract O-E-16

EGI-InSPIRE RI My Wish List: functionality Support throughout all middleware for SHA-2 –starting January 2012, SHA-2 based certs may start to appear 'in the wild' without further warning… Support for OCSP allowing for *both* use of –AIA in the EE certificates itself, and –for site-configured trusted responders Support any number of CAs Failures should be graceful –incorrect or expired data for a single trust anchor MUST NOT affect the other trust anchors in the set EGI Authentication Validation Wish List

EGI-InSPIRE RI Wish List: compliance honour meaning and scope on extensions –an attribute that says Protection is to protect , not for signing documents, etc. accept RFC3820 proxies everywhere –and do the proper thing for proxyPathLen constraints –beware of NSS again! allow CRL files to be updated on a file system –be prepared to re-read such files and implement new CRL contents at any time EGI Authentication Validation Wish List

EGI-InSPIRE RI Wish List: don’t break it! Support drop-in (directory based) trust anchor distributions, and continue to do so –no monolithic databases please, no NSS on disk Announce semantic changes to EGI/NGI&IGTF –e.g. moving to namespaces needs prep for RPs –document, and tell which component does what contribute to the drafting of a new standard for an RPDNC language, –based on the GFD.189 analysis –participate in CAOPS EGI Authentication Validation Wish List

EGI-InSPIRE RI Where does the wish list go? via EGI TCB to the middleware providers with which EGI has an MoU –EMI – harmonize the stack, and define functional unity in any Common Authentication Library –IGE – is consistent, but needs OCSP support; and beware of NSS in moving to Fedora track progress using EGI mechanisms EGI Authentication Validation Wish List

EGI-InSPIRE RI EGI RT progress Trackers created for relevant technical issues –3074Unit Test for CRL refresh –3075Common Authentication Library (EMI) to configure the accepted proxy –3076Support for OCSP (EMI + IGE) –3077Argus to support OID extensions but now Argus wants an explicit list of OIDs to convert each one into an XACML policy  –3078SHA-2 family support* –3079Default key size for proxies >=1024 –3080RPDNC constraints support –3081drop-in trust anchor distribution support EGI Authentication Validation Wish List

EGI-InSPIRE RI SHA-2 support all modern middleware all supports it but not all modern M/W still handles legacy GT2 proxies in the case of jGlobus, it’s mutually exclusive some M/W still stuck without support for RFC proxies, like some wLCG-specific software (LHCb’s “DIRAC”) we might need more migration time... but not too long! EGI Authentication Validation Wish List

EGI-InSPIRE RI jGlobus2 and Address But also: the Address/ /E attribute is text- encoded differently in various middlewares (no standard exists), and jGlobus2 does not support all variants we need to get rid of Address CAs still using Address –IHEP –APAC –IUCC -> please consider rolling over to new CA DN EGI Authentication Validation Wish List

EGI-InSPIRE RI Discussion items for us now Delay use of SHA-2 (until January 2013)? or until SHA-1 is broken! Roll-over CAs with Address in issuer EGI Authentication Validation Wish List

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.