Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

Similar presentations


Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC

2 www.egi.eu EGI-InSPIRE RI-261323 Executive Summary Proxy certificates and VOMS attribute certificates –Needed for single sign-on and delegation in gLite –Are a security risk as there is no revocation mechanism and not encrypted on disk EGI has a current security operational notice limiting the lifetimes to 24 hours But, not stored as a policy/procedure and not really enforced SPG and CSIRT will review in coming weeks –Feedback invited 21 Aug 2012 2Kelsey - Proxy lifetime

3 www.egi.eu EGI-InSPIRE RI-261323 EGI Proxy Life notice https://wiki.egi.eu/wiki/EGI_CSIRT:Op- notices/proxy-lifetime-02-11-2007https://wiki.egi.eu/wiki/EGI_CSIRT:Op- notices/proxy-lifetime-02-11-2007 Agreement was in EGEE days (Nov07) Adopted by EGI CSIRT (Jun10) Needs to be formally adopted as a policy and/or procedure –And then enforced The standard gLite renewal mechanisms can be used to support long-term operations that need valid credentials throughout the duration of a job, and whose duration could exceed the maximum lifetime agreed. 21 Aug 2012 Kelsey - Proxy lifetime3

4 www.egi.eu EGI-InSPIRE RI-261323 Authentication lifetime The maximum AuthN proxy lifetime SHOULD be 24 hours (from time of issue). Users (or MyProxy) SHOULD not create Grid proxy certificates with lifetimes longer than this except when storing proxies in approved services like MyProxy. 21 Aug 2012 Kelsey - Proxy lifetime4

5 www.egi.eu EGI-InSPIRE RI-261323 Authorisation lifetime The period of validity of AuthZ attributes in a VOMS proxy certificate SHOULD be 24 hours (from time of issue) VO's SHOULD not issue AuthZ attributes with lifetimes longer than this or MUST request approval (from CSIRT) if this needs to be exceeded. CSIRT needs to notify sites if longer lifetimes are being used –some may refuse to allow this 21 Aug 2012 Kelsey - Proxy lifetime5

6 www.egi.eu EGI-InSPIRE RI-261323 Implementation and exemptions Sites SHOULD enforce these policy upper limits –Grid middleware MUST provide the ability to do this If a VO needs a TEMPORARY extension of the proxy lifetime of its users –the VO manager(s) MUST send a documented request to the EGI CSIRT including: A detailed explanation of the technical difficulties that would justify a temporary extension of the proxy lifetime A confirmation of the understanding and agreement from the VO that this temporary extension will be revoked after an agreed deadline –Once the request is approved by the CSIRT, the VO manager(s) or the CSIRT MUST inform all sites about the change by sending a broadcast to all the site administrators and managers and to the EGI security contacts. 21 Aug 2012 Kelsey - Proxy lifetime6

7 www.egi.eu EGI-InSPIRE RI-261323 Feedback invited I will propose (to SPG and CSIRT) formal adoption of such a 24 hour limit but with mechanisms to agree extensions as currently specified Which VO currently uses lifetimes longer than 24 hours –And why? –Is renewal not (yet) available? Any other feedback? 21 Aug 2012 Kelsey - Proxy lifetime7


Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC."

Similar presentations


Ads by Google