Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataGrid WP6/CA CA Trust Matrices

Published byMyron Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "DataGrid WP6/CA CA Trust Matrices"— Presentation transcript:

1 DataGrid WP6/CA CA Trust Matrices
Trinity College Dublin (TCD) Brian Coghlan Edinburgh JUL-2002

2 EU DataGrid Project Main Partners Industrial Partners
CERN (Switzerland) ESA/ESRIN (Italy) CNRS (France) PPARC (UK) NIKHEF (Nethelands) INFN (Italy) Industrial Partners Datamat (Italy) IBM-UK (UK) CS-SI (France) One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references. Research and Academic Institutes CESNET (Czech Republic) Commissariat à l'énergie atomique (CEA) – France Computer and Automation Research Institute,  Hungarian Academy of Sciences (MTA SZTAKI) Consiglio Nazionale delle Ricerche (Italy) Helsinki Institute of Physics – Finland Institut de Fisica d'Altes Energies (IFAE) - Spain Istituto Trentino di Cultura (IRST) – Italy Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany Royal Netherlands Meteorological Institute (KNMI) Ruprecht-Karls-Universität Heidelberg - Germany Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands Swedish Research Council - Sweden

3 EU CrossGrid Project 21 Partners 11 Countries led by Cyfronet (Poland)
Netherlands Germany Spain Italy Portugal Greece Austria Slovakia Cyprus Ireland One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

4 DataGrid: security No single work package (security is everywhere!)
3 sub-groups: Authentication, Authorisation, & Co-ordination Chaired by Dave Kelsey, RAL Now based on Globus GSI authentication using PKI (X.509 certificates) authorization via DataGrid tools Trying not to mix Authentication and Authorisation Documents: Security Requirements and first implementation (D7.5) Security Design and 2nd implementation (Jan 2003)

5 DataGrid: authentication
Grids involve N-way contexts Thus each party is worried about all the others Back at the CA, each CA wants to evaluate the other CA EITHER that they meet the CA’s minimum standard OR that they meet an agreed common standard EDG focus is on common standard This results in a Trust Matrix

6 DataGrid: authentication
involves cross-domain authentication between Grid projects now 13 approved National Certificate Authorities includes Registration Authorities – check identity CNRS (France) acts as “catch-all” CA with RA mechanism to suit USA (DOE) is a member of the CA group and trust matrix CrossGrid CAs are currently joining CA group and trust matrix

7 Matrix of Trust

8 Matrix of trust How to establish the trust ? CP/CPS important
CA Mgrs check each other against agreed list of minimum requirements currently require inspection of each CA’s CPS by each other CA software being developed to aid this process CP/CPS important audit of CA procedures will help none done yet use 3rd party ? GGF GridCP and CA-Operations WG’s considered important

9 Matrix of trust Scaling problems
how many CA’s can we cope with [soon ~20] ? the process is very manual personal contacts are fundamental WANT TO MAKE EVALUATION MORE AUTOMATIC software being developed to aid this process based on evaluation of the CA Feature Matrix

10 DataGrid: CA Feature Matrix

11 Basic Concepts Issues: Grading: Constraint: Aggregation:
postulate: (condition)  (issue) e.g. (BasicConstraints_value ne ‘CA’)  (major issue) Grading: i.e. assign an issue a weight Constraint: issues of a certain class should be constrained to that class e.g. many minor issues do not make a major issue Aggregation: aggregate graded issues in a measure of ‘severity’ e.g. major) = (graded major issues)limit=1.0 One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

12 Currently [JUL-2002] per class: class) = (graded class issues)limit=1.0 max_severity: (severity) for most critical class with issues postulate: acceptance_level = Tacceptance – (max_severity) where: Tacceptance == (worst-case max_severity) e.g, assume: Tacceptance = 3.0 therefore: max_severity = [ ] and: acceptance_level = [ ] This is the WORKING BASIS for manual evaluation One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

13 Auto-evaluation move to extract issues automatically from what ?
initially from Feature Matrix later from CA certs & CRLs ? One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

14 Extraction from Feature Matrix
since: (condition)  (graded issue) then must define condition per feature  {rules} e.g.: (name eq ‘NIL’)  (graded issue) thus: if (name eq ‘NIL’) (graded issue) == class) per class: (severity) == (graded issues)limit=1.0 EDG can define its common rule set each CA could define its own overrides to the rule set ultimately each VO could define its own rule set One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

15 Acceptance/Feature Matrices
THE END One of the initial services the networks intended to offer their clients was access to OMI results. It was envisioned that this should not be passive access, but proactive promotion through which the OMI offering was always proposed to the SME if there was an OMI solution to their problem. Despite multiple attempts to identify and establish an OMI solution for a problem, we were unable to promote OMI beyond the stage of a possible option and to achieve acceptance from an SME to use OMI technology. Multiple reasons exists for this: the huge difficulties identifying an OMI option if at all available; poor packaging and immature technology; low market profile for OMI developments suggesting they are not widely used and far from being a de-facto market standard; absence of previous experiences of applying the technology; most of the hardware developed within OMI is available only as chip building blocks (macrocells) not as chip-sets. In total the OMI option was rejected, as it was perceived to be too risky by the potential user. SMEs are highly risk-sensitive and usually do not operate in volumes justifying development of ASICs that can exploit OMI results, even if the macrocells were licensable with reasonable effort. The responsibility for marketing the OMI results lies with the companies originally developing the processor core or macrocell. The User Support Networks can, not and should not, take on this marketing effort. For the macrocells to find a market with the SMEs they must be turned into chip-sets easily available with proper documentation like application notes helping the SMEs engineer systems exploiting these chips. Knowledge about the available results is a key problem and there is an imminent need for a catalogue detailing what are available out of OMI, the availability of the products, terms and conditions, and application references.

Download ppt "DataGrid WP6/CA CA Trust Matrices"

Similar presentations

CERN STAR TAP June 2001 Status of the EU DataGrid Project Fabrizio Gagliardi CERN EU-DataGrid Project Leader June 2001

CERN STAR TAP June 2001 Status of the EU DataGrid Project Fabrizio Gagliardi CERN EU-DataGrid Project Leader June 2001
Israel, 10th and 11th of December 2003 Italy Israel Bi-national Seminar on Digital Access to Scientific and Cultural Heritage Antonella Fresa MINERVA Technical.

Israel, 10th and 11th of December 2003 Italy Israel Bi-national Seminar on Digital Access to Scientific and Cultural Heritage Antonella Fresa MINERVA Technical.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
THE EUROPEAN UNION How did Europe transition from a period of conflict to a period of sustained peace?

THE EUROPEAN UNION How did Europe transition from a period of conflict to a period of sustained peace?
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
CERN The European DataGrid Project Technical status www.eu-datagrid.org Bob Jones (CERN) Deputy Project Leader.

CERN The European DataGrid Project Technical status Bob Jones (CERN) Deputy Project Leader.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
HPC-Europa2 Funding research visits in Europe

HPC-Europa2 Funding research visits in Europe
DataGrid WP6/CA CA Acceptance/Feature Matrices Trinity College Dublin (TCD) Brian Coghlan Paris MAR-2002.

DataGrid WP6/CA CA Acceptance/Feature Matrices Trinity College Dublin (TCD) Brian Coghlan Paris MAR-2002.
MB - NG Managed Bandwidth - Next Generation. MB - NG u Project to investigate and pilot:  End-to-end traffic engineering and management over multiple.

MB - NG Managed Bandwidth - Next Generation. MB - NG u Project to investigate and pilot:  End-to-end traffic engineering and management over multiple.
Grid Projects: EU DataGrid and LHC Computing Grid Oxana Smirnova Lund University October 29, 2003, Košice.

Grid Projects: EU DataGrid and LHC Computing Grid Oxana Smirnova Lund University October 29, 2003, Košice.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
The Grid approach for the HEP computing problem Massimo Sgaravatto INFN Padova

The Grid approach for the HEP computing problem Massimo Sgaravatto INFN Padova
DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.
The European DataGrid Project Team The EU DataGrid.

The European DataGrid Project Team The EU DataGrid.
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
ESnet PKI Developed for the DOE Science Grid and SciDAC.

ESnet PKI Developed for the DOE Science Grid and SciDAC.
DataGrid WP6/CA CA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan CERN DEC-2002.

DataGrid WP6/CA CA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan CERN DEC-2002.
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

Similar presentations

Ads by Google