8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam2 Members of WP6 CA group Luca dell AgnelloINFN, Italy Roberto AlfieriINFN, Italy Jean-Luc ArchimbaudCNRS, France Roberto CecchiniINFN, Italy Jorge GomesLIP, Portugal David GroepNIKHEF, NL Denise HeagertyCERN Dave Kelsey(Chair)RAL, UK Daniel KourilCesnet, Czech Rep. Rafael MarcoSpain Pietro Paolo MartucciCERN Andrew SansumRAL, UK

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam3 Meetings 4/5 December 2000, CERN 2 March 2001, CERN Next meeting: 5 June 2001, CERN

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam4 CA status National CA already in operation for DataGrid Testbed0 –CERN –Czech Republic –France –Italy –Netherlands –Portugal –Spain –UK Successful tests of globus job submission between CA domains Sites not represented?

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam5 Certificates for users/hosts All testbed users should obtain a certificate from their own national CA. Same for host certificates See WP6 web page – Countries not yet running a CA –Implement one or –Find an existing CA willing to issue certificates Globus certificates are still OK for Testbed0 but should be avoided if possible –Will be removed in Testbed 1

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam6 Configuration of systems See WP6 web We will provide configuration advice for globus –To configure complete list of trusted CA’s –To configure the certificate request mechanism –To maintain grid mapfile But no automatic updates Local site is free to accept trusted CA’s or not. –We will check CPS of each CA to define “trust”

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam7 CA Policies CP (Certificate Policy) –Applicability of the certificate to a particular community and/or class of application CPS (Certification Practice Statement) –Practices used in issuing certificates INFN and NIKHEF have prepared a CP/CPS Others working on this –To be completed by mid-April Review of all CP and CPS by small group before Testbed 1

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam8 Minimum CP/CPS Discussed a minimum set of requirements for a CP and CPS –Also being discussed in GGF Security WG Registration Authority (RA) –An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate –The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP –requests for machine certificates must be signed by personal certificates or verified by other appropriate means Communication between RA and CA –Either by signed or some other acceptable method

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam9 Minimum CPS (2) Certification Authority (CA) –The issuing machine must be: a dedicated machine located in a secure environment Not connected to any network be managed in an appropriately secure way by a trained person –the CA private key (and copies) should be locked in a safe or other secure place must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s)

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam10 Minimum CPS (3) minimum length of user private keys must be 1024 min length of CA private key must be 2048 lifetime of personal certificates should be no longer than one year. question: how many farm nodes will require host certs? And how long should these certs live? Revocation – see later Users must generate their own private key and must keep this private and secure Publishing of user public keys is not required.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam11 Minimum CPS (4) Recording - audit trail –RAs must record and archive all requests all confirmations –CAs must record and archive all requests for certs all issued certs all requests for revocation all issued CRLs login/logout/reboot of the issuing machine

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam12 Naming To date, different choices have been made –No proof of uniqueness Longer term, do we want a hierarchical namespace? (o=hep?) Coordination with Info services LDAP namespace? This needs further study

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam13 Revocation lost or compromised private key person left organisation Can be requested by either the user or the RA Every CA must generate and maintain a CRL –The lifetime of the CRL should be no more than 30 days. –This must be updated immediately after every revocation and at least before the expiry of the lifetime. All clients must update their local copies of CRL's at least once per day.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam14 General Security group PTB asked me to join the ATF for security –See my talk on Friday 9 th March –I propose to create a general security group WP6 security reps plus reps from other WP’s plus … How do we handle authorisation in DataGrid? Strong recommendation not to mix authentication and authorisation –Industry trends PMI (privilege management infrastructure) –X.509V3 extension fields should only carry authorisation information that is stable and constant over time –“Attribute Certificates” – PKIX IETF working group –CAS from Globus looks very interesting

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam15 Future Plans Complete WP6 web pages with CA details and configuration advice (by Easter) CA’s to complete CP and CPS (by Easter) Small group to review all CP/CPS (before Testbed 1) More work under the general security group –Authorisation –Mapfiles –etc