11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

Slides:

Advertisements

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

Password?. Project CLASP: Common Login and Access rights across Services Plan

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Security Mechanisms The European DataGrid Project Team

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Configuring Directory Certificate Services Lesson 13.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

Security Mechanisms The European DataGrid Project Team

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

GIIS Implementation and Requirements F. Semeria INFN European Datagrid Conference Amsterdam, 7 March 2001.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

WP7 Security Coordination 23/24 Jan 2002 David Kelsey CLRC/RAL, UK

Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK

10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK

David Kelsey CLRC/RAL, UK

David Kelsey CCLRC/RAL, UK

The GENIUS Security Services

Presentation transcript:

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan2 Agenda Day 1 – 4 th December, 2000, CERN –Aims, agenda, intro, etc. –Roundtable status reports –Authentication vs Authorisation –Which CAs? –CA Policies –Naming

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan3 Agenda (2) Day 2 – 5 th December, 2000, CERN –CA Hierarchy –Revocation –Scope of certificates –Other Grid projects –Other issues –Summary of decisions/proposals

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan4 Attendees Jean-Luc ArchimbaudCNRS, France Roberto CecchiniINFN, Italy Jorge GomesLIP, Portugal Denise HeagertyCERN Dave KelseyRAL, UK Daniel KourilCesnet, Czech Rep. Andrew SansumRAL, UK Apologies from: Francesco Prelz and Guiseppe LoBiondoINFN

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan5 Aims of meeting Implement CA(s) for Testbed0 –But also plan for the future Keep it simple! (at least for now) Report to WP6 meeting – Milan 11 Dec Report to ATF? Proposal for authorisation?

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan6 Summary of roundtable status National CAs already in place and ready for Testbed0 –Czech Republic –France –Italy –Portugal –UK CERN not yet ready Not sure about status of sites not present

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan7 Authentication vs Authorisation User requirement for easy access to resources while system managers need to control access Strong recommendation not to mix these –For non-HEP CAs we will not be able to request the addition of HEP-specific attributes –Industry trends PMI (privilege management infrastructure) –X.509V3 extension fields should only carry authorisation information that is stable and constant over time –“Attribute Certificates” – PKIX IETF working group –Also CAS from Globus

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan8 Authentication vs Authorisation (2) –Breaks Globus GSI model –Privacy – public certificate should include minimal information – user may have control over disclosure Recommendation to start a task force on Authorisation –Users want easy access to resources –Initially – grid map-files –then LDAP? Account creation – requires coordination?

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan9 Which CAs? Recommendations –Each country/site wishing to join Testbed0 must find a CA willing to issue certificates for them with published and accepted procedures –By Testbed0 cutoff date, decide list of initial CA’s + a catch- all solution –phase out use of CA’s not meeting the minimum standards within 6 months, e.g. existing Globus CA –Should be a small group with responsibility for “accepting” new CA’s

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan10 Which CAs? (2) CAs should be aware that we will review after 6 months –At this point new recommendations may be made Short lived CAs may be a good choice for getting started Recommend a maximum lifetime for personal certificates of 1 year

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan11 CA Policies for Testbed0 CPS (cert practice statement) for CAs –Try to agree minimum set for Testbed0 or a mechanism for agreement of procedures –Use beyond Testbed0 at decision of each site? –Private key must be offline? –Physical access to CA – controlled area –Off line CA/signing machine? –Security of private key – who? How many? –Minimum Key lengths?

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan12 CA Policies for Testbed0 (2) Minimum policy for RA’s –Confirmation from trusted person at each site Identity Request was issued by that person What does it assert? –Method of confirmation (RA to CA) must be specified Telephone?, digitally signed mail –Must be a mechanism for revocation –Owning a certificate is not sufficient for creation of accounts

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan13 Naming To date, different choices have been made Longer term, do we want a hierarchical namespace? (o=hep?) Coordination with LDAP namespace? This needs further study How to map single certificate onto multiple accounts?

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan14 CA Hierarchy Root CA signs lower level CA certificate –proposed changes to globus toolkit would allow clients and servers to only trust the root CA Pros –Formalises the checking of CPS –Simpler/scaleable configuration for growing number of CAs (if mods made to globus)

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan15 CA Hierarchy (2) Cons –Have to trust the root CA –In conflict with generic use of certificates Suggests a common scope Would need dedicated DataGrid CAs –Heavy reliance (unacceptable?) on the private key of the root CA –Compromised or disappearing root CA would cause major problems But could move the root CA Conclude – not a useful idea

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan16 Revocation Each CA must maintain a CRL each server/client must regularly copy this CRL from each CA and store it in the “trusted certificates” directory (cron job) Globus (SSL) checks this local copy We need an agreed policy for CA updating its own CRL (e.g. compromised private key)

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan17 Scope of certificates Each CA can decide the scope of the certificates it issues. One reason not to use a hierarchy of CA’s Each site is free to choose which CA’s it trusts

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan18 Other issues - Security Communication between sites for removing users from authorisation scheme – in addition to revocation of certificate Should this certificate group continue? –With more general mandate than just certificates? Gatekeeper proxy certs –Limited functionality –Globus-rcp needs full function cert (returning job output) –Job for general security task force

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan19 Summary of Recommendations Use existing CAs, not necessarily specific to DataGrid Aim to phase out use of Globus CA For those orgs with no CA by cut-off date –find someone else willing to issue certs –We need a catch-all We will provide client/server configuration advice Q: What is the cutoff date? Q: WP6 should advise on “catch-all” CA

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan20 Summary of Recommendations (2) CA Hierarchy – not useful Authorisation in certificate – no! Agree minimum standards for CPS –Topic for future meeting of this group DataGrid should create a Security task force –Beyond testbed0 and certificates Authorisation needs to be tackled –By whom? LDAP + Security + …?