Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on SHA-2 and RFC proxy support

Published byDrusilla Fletcher Modified over 6 years ago

Similar presentations

Presentation on theme: "Update on SHA-2 and RFC proxy support"— Presentation transcript:

1 Update on SHA-2 and RFC proxy support
GDB Maarten Litmaath CERN

2 Maarten Litmaath (CERN)
Reminder - the problem IGTF would like CAs to move from SHA-1 to SHA-2 signatures ASAP, to anticipate concerns about the long-term safety of the former See For WLCG this currently implies using RFC proxies instead of the Globus legacy proxies in use today See Jan GDB presentation for detailed explanation Switching to using the EMI Common Authentication Library (CANL) may help here: supports SHA-2 with legacy proxies Will be investigated by the dCache team GSI based delegation not yet supported, should not be hard Also BeStMan might use it then Maarten Litmaath (CERN)

3 Maarten Litmaath (CERN)
IGTF plans EUGridPMA/IGTF discussed the matter at various meetings Quote: “The date by which SHA-2 production certs may be issued will be NO LATER than January 2013 (and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way)” That would give us 5 months to get ready for RFC and SHA-2 Looks impossible, in particular now that this year’s LHC run will be extended a few months into 2013 ! Neither experiments nor sites will want to rock the boat … A Plan B would be desirable  read on … Maarten Litmaath (CERN)

4 Current state of affairs
There are various pieces of middleware and experiment-ware that need to be made ready for SHA-2 or RFC proxy support SHA-2: dCache, BeStMan (RFC proxies already supported by these) RFC: Argus, CREAM, WMS, DIRAC, … Central EGI/OSG/… services EGI Operations will help with the assessment All EMI-2 products (released May 21) should support RFC proxies WMS not yet available Very little uptake so far Also SHA-2 should be supported, except for dCache – verified? It may be many weeks before the affected products can be endorsed by UMD for generic deployment on EGI sites EMI-2 is a major release with many changes OSG did not report additional constraints for their MW Maarten Litmaath (CERN)

5 Updated phases and milestones (1)
1. Deployment of SW supporting RFC proxies Proxy usage: Legacy RFC  only in special tests SHA-2  only in special tests SW supports: RFC  maybe SHA-2  maybe Milestone: All deployed SW supports RFC proxies  summer 2013 ? Additional goal: All deployed SW supports SHA-2, except dCache and BeStMan  summer 2013 ? Maarten Litmaath (CERN)

6 Updated phases and milestones (2)
2. Switch to RFC proxies  summer 2013 ? 3. Upgrade dCache and BeStMan Proxy usage: RFC SHA-2  only in special tests SW supports: SHA-2  maybe Milestone: All deployed SW supports SHA-2  autumn 2013 ? 4. Introduce SHA-2 CAs  Jan 2014 ? Plan B ?! Maarten Litmaath (CERN)

7 Maarten Litmaath (CERN)
Plan B proposal Introduce a new, short-lived WLCG catch-all CA It would issue SHA-1 certificates to any WLCG member whose CA no longer supports SHA-1 for new certificates Name space “*” Users Hosts, services Its own cert would be distributed in addition to the IGTF CAs As used to be done for the FNAL KCA Its lifetime would be 1 or 2 years, just to bridge the gap It would need to be in place before Jan 2013 Unless IGTF shift their timeline A significant effort … Our RFC and SHA-2 conversion efforts continue in parallel Maarten Litmaath (CERN)

Download ppt "Update on SHA-2 and RFC proxy support"

Similar presentations

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
The Middleware Readiness Working Group LHCb Computing Workshop LHCb Computing Workshop Maria Dimou IT/SDC 2014/05/22.

The Middleware Readiness Working Group LHCb Computing Workshop LHCb Computing Workshop Maria Dimou IT/SDC 2014/05/22.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
OSG Security Review Mine Altunay December 4, 2008.

OSG Security Review Mine Altunay December 4, 2008.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
WLCG GDB, CERN, 10th December 2008 Latchezar Betev (ALICE-Offline) and Patricia Méndez Lorenzo (WLCG-IT/GS) 1.

WLCG GDB, CERN, 10th December 2008 Latchezar Betev (ALICE-Offline) and Patricia Méndez Lorenzo (WLCG-IT/GS) 1.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
MW Readiness Verification Status Andrea Manzi IT/SDC 21/01/2015 21/01/15 2.

MW Readiness Verification Status Andrea Manzi IT/SDC 21/01/ /01/15 2.
MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.

MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.
Ian Bird GDB CERN, 9 th September 2015 9 Sept 2015

Ian Bird GDB CERN, 9 th September Sept 2015
LCG Introduction John Gordon, STFC GDB December14 th 2011.

LCG Introduction John Gordon, STFC GDB December14 th 2011.
Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.

Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.
LCG Report from GDB John Gordon, STFC-RAL MB meeting February24 th, 2009.

LCG Report from GDB John Gordon, STFC-RAL MB meeting February24 th, 2009.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Similar presentations

Ads by Google