Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing Combined Assurance

Published byΑναστασούλα Βλαβιανός Modified over 6 years ago

Similar presentations

Presentation on theme: "Assessing Combined Assurance"— Presentation transcript:

1 Assessing Combined Assurance
Introducing composites of DOGWOOD and BIRCH/CEDAR in EGI and beyond David Groep Nikhef co-supported by the Dutch National e-Infrastructure coordinated by SURF, and by EGI Core Services

2 EGI Combined Assurance use case
IOTA AP assurance level ‘DOGWOOD’ is different, but remainder of the assurance can be taken up somebody else – the user community or the registrar for the Access Platform Only thing you get is an opaque ID Stepping up to adequate assurance: Real names from pseudonyms Enrolling users in a community Keeping audit records Auditability and tracing Incident response Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control Evolving the EGI Trust Fabric - Bari 2015

3 The wLCG IOTA CA by-pass
‘lcg-CA’ or explicit configuration For EGI-only sites nothing changed For EGI sites also under wLCG policy and installed post-EGEE: just install both policy packages “egi-core” and “lcg” ca-policy-egi-core IGTF Classic ca-AEGIS IGTF MICS ca-TCS IGTF SLCS ca-DFN-AAI ca-policy-lcg IGTF Classic ca-AEGIS IGTF MICS ca-TCS IGTF SLCS ca-DFN-AAI ca-CERN-LCG-IOTA Evolving the EGI Trust Fabric - Bari 2015

4 Project MinE (ALS) use case
Access traditional global grid resources from the CLI By users that have no PKIX experience but are all properly vetted and registered (in the SURFsara CUA) Case comparable to LHC VOs (and to ELIXIR) Give access based on DOGWOOD CUA ID – and prepopulate a VOMS server based on CUA details 15 November 2018 Leveraging the IGTF registration network for research

5 Leveraging the IGTF registration network for research
Thanks to Mischa Sallé Interlude 15 November 2018 Leveraging the IGTF registration network for research

6 A proxy from the TTS: the ad-hoc way
additional info: Mischa Sallé, 15 November 2018 Leveraging the IGTF registration network for research

7 A one-time URL giving a shell script
additional info: Mischa Sallé, 15 November 2018 Leveraging the IGTF registration network for research

8 Register your ssh public key – like in gitlab, sourceforge, &c
additional info: Mischa Sallé, 15 November 2018 Leveraging the IGTF registration network for research

9 Hiding PKIX – just like KRB
Implicit retrieval of proxies using ssh-agent Resulting proxies can decorated with VOMS without need for passphrases or other credentials Predictable RCauth subject naming (USR) allows pre-registering in VOMS, COmanage, &c additional info: Mischa Sallé, 15 November 2018 Leveraging the IGTF registration network for research

10 Beyond DOGWOOD (CERN IOTA, RCauth, CILogon Basic)
Old model: CERN STS tight VO binding model With the EGI and WLCG specific exception EGI combined assurance model Make assurance combination part of service AuthZ Implemented by major AuthZ frameworks: Argus (1.7.1+), LCMAPS, dCache (3.1+) Configuration shipped via EGI and WLCG But: which ‘other’ assurance providers qualify? 15 November 2018 Leveraging the IGTF registration network for research

11 Distributed Responsibilities I: Trusted Third Party
Evolving the EGI Trust Fabric - Bari 2015

12 Evolving the EGI Trust Fabric - Bari 2015
Distributed Responsibilities II: Collaborative Assurance & Traceability Evolving the EGI Trust Fabric - Bari 2015

13 Leveraging the IGTF registration network for research
IOTA in the EGI context EGI – by design - supports loose and flexible user collaboration 300+ communities Many established ‘bottom-up’ with fairly light-weight processes Membership management policy* is deliberately light-weight Most VO managers rely on naming in credentials to enroll colleagues Only a few VOs are ‘special’ LHC VOs: enrolment is based on the users’ entry in a special (CERN-managed) HR database, based on a separate face-to-face vetting process and eligibility checks, including government photo ID + institutional attestations Only properly registered and active people can be listed in VOMS 15 November 2018 Leveraging the IGTF registration network for research

14 Developing an assessment framework
15 November 2018 Leveraging the IGTF registration network for research

15 Leveraging the IGTF registration network for research
The need for guidance 15 November 2018 Leveraging the IGTF registration network for research

16 Assessment Matrix Mapping for PKIX/RFC3647 is trivial
How to apply out BIRCH/CEDAR guidance to community registries? Relevant for COmanage & VOMS communities, but maybe wider? 15 November 2018 Leveraging the IGTF registration network for research

17 Building a global trust fabric
Discussion! Building a global trust fabric Leveraging the IGTF registration network for research

Download ppt "Assessing Combined Assurance"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 The IGTF IOTA Profile towards differentiated assurance levels.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

Similar presentations

Ads by Google