On Robots J Jensen STFC Rutherford Appleton Lab Banff, 16-18 July 2007.

Slides:



Advertisements
Similar presentations
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
WebFTS as a first WLCG/HEP FIM pilot
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Grid Canada Certificate Authority Darcy Quesnel
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Grid technology Security issues Andrey Nifatov A hacker.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Jens’ Soapbox J Jensen Rutherford Appleton Laboratory Berlin, Sep 2009.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
Soapbox (S Series) Who, what, where, why, how Rome Soapbox, Jan 2013 Jens Jensen, Chief Soapbox Officer.
Zeepkist Jens Jensen STFC SurfNet, Utrecht, Jan 2011.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Jens Jensen EU Grid PMA, Berlin Jan 2015
Presentation transcript:

On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007

What is a Robot A long-lived user certificate –Whose private key is “unprotected” –MUST be protected with a passphrase Passphrase MAY be stored in memory Identity –Not tied to a network identity –Tied to a specific user (owner)

You, Robot Robots MUST have a 1SCP OID –Plus of course that of their CP/CPS Robots MUST NOT have server exts –Because they are not –Servers need DNS name in s.a.n.

I, Robot UK version: …/CN=Joe User/CN=Robot:GridClient Dutch version …/O=robots/…/CN=Robot: function - person Czech version? …? Your version?

Robot Names “Mr Robot GridClient” does not have ‘:’ ‘:’ is in printableString Simple algo to derive owner’s DN –But not the same for the two CAs Allow disambiguation –/CN=User Name/CN=Robot:Type (314) –No semantics associated to disamb.?

Issues Robots are named after what they are, not what they do. –E.g. “GridClient”, not “Monitoring” –Get consistent naming for all robots? Should different robots have different OIDs (in addition to robot 1SCP) –Probably not – profile should be sufficient

Robot toolkit for your CP/CPS Describe what a robot is Describe naming of robots –Including relation to owner’s name, if any Condition of issuance (who can request) Security of private key (cf token talk)

Robot toolkit for CP/CPS Perhaps make it a part of a consistent CP/CPS programme (CCPCPSP)? –Mix and match, –Plug and play, –Live and learn

Issues Must robots always name their owner? –Good for log files and the W&F –Good for AUC by DN (W&F) –Good for automated chaining (user leaves  disable user’s robots) (but no stds) –Bad for transfer of ownership –Bad for “shared” robots (with 1 responsible) (project owned)

Issues Which types –Use cases (for owners, projects, and the CA) How to describe different types –Morally equivalent to services –Define std ones Harmonise std ones across PMA? –Each CA MUST describe non-std ones But not in CP/CPS?

Issues How RA verifies key generated by token –General token support, not just for robot –Different modus operandi for users –More work for the helpdesk, more work for the RA

Security Issues Robot certificates shared? –Single person responsible for use of robot –CA decides what it is, owner what it does Each Robot has a unique DN –No two Robots share keys

Security Issues MUST be authorised independently –of the user’s authorisation Private key is “unprotected” at time of use –Permit non-protected tokens (LoA…) Should owner use existing cert to apply for robot cert?

Open Questions Can anyone apply for a robot? –If not, how should it depend on the type? Distinguish simple from powerful robots –Other than by extns –How to enforce what it does (cf Globus services) Bit like object signing extensions –How does CA assert this? Robots too tied to their owner’s name

Open Questions How to get consistency across CAs (cf 1SCP) –Is this necessary –Makes life easier for reviewers –At least need a robot profile…, no? –Consistency (probably) impossible already

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.