Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.

Slides:



Advertisements
Similar presentations
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
Advertisements

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
The CA Distribution Process David Groep, July 2007.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
RI EGI-InSPIRE RI EGI Future activities Peter Solagna – EGI.eu.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Requirements Status EGI.eu UCB
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
APGridPMA Update Eric Yen APGridPMA August, 2014.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GLUE 2: Deployment and Validation Stephen Burke egi.eu EGI OMB March 26 th.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Introduction of SHA-2 in the EGI Infrastructure David Groep, EGI-IGTF Liaison.
Welcome to Amsterdam EUGridPMA35 September EUGridPMA Amsterdam 2015 meeting – 2 David Groep – Welcome back in Amsterdam.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
Update on SHA-2 and RFC proxy support
EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA.
The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
AuthN Middleware Requests
and the SHA-1 depreciation time line and status
Presentation transcript:

status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative for Globus in Europe which is co-funded by the European Commission under contract RI

APGridPMA Taipei 2012 meeting - 2 David Groep – Geographical coverage of the EUGridPMA  25 of 27 EU member states (all except LU, MT)  +AM, CH, DZ, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress  ZA, SN, TN, EG, AE

APGridPMA Taipei 2012 meeting - 3 David Groep – Current Topics in the EUGridPMA  New TACAR policy (simpler!) approved  Scaling issues for host certificates and automation  PKP Guidelines clarification ongoing  more ‘EGI-friendly’ pre-release schedule  Updates to the Classic AP (v4.4)  Coordinated action by EGI.eu towards middleware providers for our AuthN needs and the SHA-2 and RFC-proxy issue  Authorization Operations Guideline proposal

APGridPMA Taipei 2012 meeting - 4 David Groep – Updates to Classic AP 4.4 The certification authorities accredited under this AP are long- term issuing entities serving a constituency of significant size. The goal is to serve the largest possible community with a small number of stable CAs. To achieve sustainability, it is expected that each CA will be operated as a long-term commitment by institutions or organisations. NEW DRAFT section 2  For EECs increase to 2048 bits  Maximum life time to 400 days  Preferably 4096 bit keys for new CAs  Aim: make Classic AP a technical requirements document like the others (SLCS, MICS)

APGridPMA Taipei 2012 meeting - 5 David Groep – THE IGTF WISH LIST AND EGI

APGridPMA Taipei 2012 meeting - 6 David Groep – EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling the wish list for authN functionality for EGI David Groep, Nikhef and BiG Grid, the Dutch NGI, for EGI.eu global task O-E-15 This work is supported by EGI-InSPIRE (RI ) under NA2

EGI-InSPIRE RI Why, and Why Now? Trust anchor releases repeatedly run into ‘trouble’ in deployment –inconsistencies in the distribution itself (1.39/1.41) –increasing number of trust anchors –supposedly-standard features not supported in M/W Middleware behaviour ‘suddenly’ changes –use of namespaces RPDNC format in VOMS/Admin implemented in 2009 appeared in production in –changes are useful, but not always sufficiently-well advertised EGI Authentication Validation Wish List

EGI-InSPIRE RI More reasons why Operational issues –CRL downloading and checking is not reliable –lots of superfluous downloads –in recent EGI ops VO incident, revocation did not take effect at some sites even after 18 hours Future hazards –try to prevent spreading of NSS library use in m/w since this is dangerous for scalability and stability –re-confirm adherence to CBP’s and standards EGI Authentication Validation Wish List

EGI-InSPIRE RI Effect of revocation... EGI Authentication Validation Wish List graphic: Sven Gabriel,Nikhef, for EGI.eu under contract O-E-16

EGI-InSPIRE RI My Wish List: functionality Support for OCSP allowing for *both* use of –AIA in the EE certificates itself, and –for site-configured trusted responders Support throughout all middleware for SHA-2 –starting January 2012, SHA-2 based certs may start to appear 'in the wild' without further warning… Support any number of CAs accept RFC3820 proxies everywhere and a bit more… and stay away from Mozilla nss EGI Authentication Validation Wish List

EGI-InSPIRE RI Where does the wish list go? via EGI TCB to the middleware providers with which EGI has an MoU –EMI – harmonize the stack, and define functional unity in any Common Authentication Library –IGE – is consistent, but needs OCSP support; and beware of NSS in moving to Fedora track progress using EGI mechanisms EGI Authentication Validation Wish List

EGI-InSPIRE RI EGI RT progress Trackers created for relevant technical issues –3074Unit Test for CRL refresh –3075Common Authentication Library (EMI) to configure the accepted proxy –3076Support for OCSP (EMI + IGE) –3077Argus to support OID extensions but now Argus wants an explicit list of OIDs to convert each one into an XACML policy  –3078SHA-2 family support* –3079Default key size for proxies >=1024 –3080RPDNC constraints support –3081drop-in trust anchor distribution support EGI Authentication Validation Wish List

APGridPMA Taipei 2012 meeting - 13 David Groep – On #3078 “SHA-2 support”  all modern middleware libraries supports it  but not all modern M/W still handles legacy GT2 proxies  in the case of jGlobus2, it’s even mutually exclusive  and some M/W still stuck without RFC proxies  moving to SHA-2 now would cause trouble

Current state of affairs and ideas There are various pieces of middleware and experiment-ware that need to be made ready for SHA-2 or RFC proxy support – SHA-2: dCache, BeStMan (RFC proxies already supported by these) – RFC: Argus, CREAM, WMS, DIRAC, …  SHA-2 should work, not tested… For EMI products the current time line is the EMI-2 release in April/May – OSG ? It may be many weeks before the affected products can be endorsed by UMD for generic deployment on EGI sites  run into the summer holidays – EMI-2 is a major release with many changes During the whole time the LHC run will be ongoing and nobody will be keen on significant upgrades  rather target December Nobody wants to upgrade right before the Xmas period, so we end up in early 2013, right after the winter conferences… We would have a year to get the 3 CAs fixed – Affected users could also use their CERN CA certificates instead – Affected services would not have an obvious alternative Maarten Litmaath (CERN)14

APGridPMA Taipei 2012 meeting - 15 David Groep – Time line proposal by IGTF... finally, with EGI, things started moving, and SHA-1 is on the brink of falling, so we should keep the pressure on...  Extended RAT does risk assessment of staying with SHA-1 for the next year, in light of current cryptanalytic developments and the deployment issues identified  if SHA-1 is broken, the RAT makes an immediate assessment based on the integrity of the subscriber certs, and will act regardless of RP deployment consequences  we will NOT rpt. NOT recommend CAs to move to SHA-2 for production use until the risk assessment completes - noting that this provision ends in January 2013

APGridPMA Taipei 2012 meeting - 16 David Groep – Time line proposal for SHA-2 But also …  individual CAs MAY start issuing SHA-2 based certs on their own accord anyway (e.g. for testing, or to satisfy other needs)  the date by which SHA-2 production certs may be issued will be NO LATER than January 2013 (and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way)  additional digest algorithms, in particular the successor to SHA-2 which is chosen this year, may ALSO be used in production certs in January 2013, but will NOT be introduced before SHA-2 is recommended for general use... and conclude this time line at the IGTF All Hands meeting

APGridPMA Taipei 2012 meeting - 17 David Groep – On Address At the same time...  the Address/ /E attribute is text-encoded differently in various middlewares (no standard exists), and jGlobus2 does not support all variants we really do need to get rid of Address  CAs still using Address in their OWN name  IHEP  APAC  IUCC  Update to GFD.125

APGridPMA Taipei 2012 meeting - 18 David Groep – AUTHZ OPERATIONS GUIDELINES

APGridPMA Taipei 2012 meeting - 19 David Groep –  EUGridPMA in its January 2012 meeting produced version 1.0 of the AASP Operations Guidelines. See...  try this out with  a willing AA operator: Steve Traylen at CERN for wLCG  TAGPMA correctly concluded our own Distribution is an source of assertions as well – so would be good to assess the Distribution system against the guidelines I’ll do that – seems a good idea for both the Distribution setup and for the Guidelines …  Discuss and try to agree during the All-Hands?

APGridPMA Taipei 2012 meeting - 20 David Groep – Agenda  25 rd EUGridPMA and IGTF All Hands meeting followed by the SCI meeting on May Karlsruhe, May 7-9, 2012  TERENA Networking Conference Reykjavik, May 21-25, 2012  26 rd EUGridPMA meeting Tentatively September 2012 France (location tbd) participation supported by IGE, the Initiative for Globus in Europe which is co-funded by the European Commission under contract RI

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.