NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd TERENA NREN-Grids Workshop

Outline ✔ NREN vs Grid?? ✔ Authentication Infrastructures ✔ EuGridPMA ✔ IGTF ✔ EduROAM ✔ Differences and Common Ground ✔ Authorization Infrastructures NRENs, Grids and Integrated AAI – In Search For the Utopian Solution Disclaimer: These are my personal views

NRENs vs Grids ✔ What is the Grid? ✔ “The flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources.” ✔ It is NOT just about computing and storage. It's a vision for the future of the Internet. Now let's get back to reality ✔ The goal is the same, but we are starting from different points NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Authentication Infrastructures in Europe ✔ ~2 Major authentication international federations across Europe ✔ EuGridPMA: Coordinate trust for access to distributed computing and storage resources ✔ EduRoam: Coordinate trust for access to network resources NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

euGridPMA ✔ The EU DataGrid in 2000 needed a PKI for the test bed ✔ Both end-user and service/host PKI ✔ CACG (actually David Kelsey) had the task of creating this PKI ✔ for Grid Authentication only ✔ no support for long-term encryption or digital signatures ✔ Single CA was not considered acceptable ✔ Single point of attack or failure ✔ One CA per country, large region or international organization ✔ CA must have strong relationship with Ras ✔ Some pre-existing Cas ✔ A single hierarchy would have excluded existing CAs and was not convenient to support with existing software ✔ Coordinated group of peer CAs was most suitable choice NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

euGridPMA More than 40 countries and regions ✔ Green: Accredited CAs ✔ Other Accredited CAs:  DoEGrids (US)  GridCanada  ASCCG (Taiwan)  ArmeSFO (Armenia)  CERN  Russia (“DataGrid”)  Israel (IUCC)  Pakistan  IHEP (China)  BalticGrid,  Turkey/ULAKBIM NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Extending Trust: IGTF – the International Grid Trust Federation ✔ common, global best practices for trust establishment ✔ better manageability and response of the PMAs NRENs, Grids and Integrated AAI – In Search For the Utopian Solution TAGPMA APGridPMA

Extending Trust: IGTF – Authentication Profiles NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

eduRoam ✔ To provide National Research and Educational Networks (NRENs) users with secure Internet access at academic campuses (WLAN and wired) across Europe NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Differences EuGridPMA ✔ Access to “Grid” resources ✔ One central authority per country, region or international organization NRENs, Grids and Integrated AAI – In Search For the Utopian Solution EduRoam ✔ Access to Network resources ✔ Campus Authentication (mainly)

Common Ground ✔ Enable a common trust domain applicable to authentication of end-entities ✔ Policies for the authentication providers ✔ Authentication not bound to a specific method (both can leverage username/password or x509 authentication) NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Authentication Infrastructures in Europe ✔ What if I could use my “IGTF” certificate to have network connection at the “eduRoam enabled” institutes across the globe? ✔ What if I could use my eduRoam id to access the “grid enabled” resources as if I was at my institute from anywhere in the world ? NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Authorization Infrastructures in Europe ✔ Authorization is not as mature as authentication ✔ Various AAI solutions: ✔ A-Select ✔ FEIDE ✔ Liberty Alliance ✔ Papi ✔ Permis ✔ Shibboleth & GridShib ✔ In EGEE/LCG VOMS is being used as the authorization service, while in the NREN arena Shibboleth NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Authorization Infrastructures in Europe ✔ How do we get the role of the user? ✔ Pull vs Push ✔ Who defines the role of the user? ✔ What about users who have multiple roles perhaps under different organizations ? NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Authorization Infrastructures in Europe ✔ There has to be a harmonization in the attributes roles that are being used in the campuses. ✔ The Attribute Service has to be flexible. ✔ In the NREN world the campus is the central information point about the user. In the Grids world the role of the user is defined by the Virtual Organization ✔ We must not assume that there is always a central authority that handles the roles/attributes of the users. Management of attributes should be able to be delegated ✔ The Attribute Services have to speak a common language (SAML is here to stay) NRENs, Grids and Integrated AAI – In Search For the Utopian Solution

Conclusions ✔ Ther is still a long road for an integrated AAI ✔ We can not solve the problem all at once ✔ In “Authentication” we are getting closer! ✔ In the “Authorization” field, standardization is needed! (SAML and XACML might be the solution) NRENs, Grids and Integrated AAI – In Search For the Utopian Solution