Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Similar presentations


Presentation on theme: "Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006."— Presentation transcript:

1 Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006

2 D. Olson, NIST PKI Workshop2 Contents OSG Why we use X.509 PKI How we use it What’s wrong with it

3 5 April 2006D. Olson, NIST PKI Workshop3

4 5 April 2006D. Olson, NIST PKI Workshop4 www.opensciencegrid.org 21 registered Scientific Virtual Organizations 51 Compute resources, 6 Storage resources (~ 20 additional on integration grid) O(1000) running and O(1000) pending jobs (low usage due to growing pains) Strongest driver today is LHC science program. Many other science programs are also users and participants. Interoperation with EGEE, Teragrid, numerous regional & campus grids. 85% of DOEGrids PKI certificates, ~ 1000 OU=People, 3000 OU=Services

5 5 April 2006D. Olson, NIST PKI Workshop5 Why do we use PKI? Globus GSI We have built and are growing a grid and use whatever security infrastructure is available and practical. Interoperability with the world-wide open science community is essential. –This means Globus pre-WS GSI (& WS GSI) X.509 –Additional supporting infrastructure has been deployed: VOMS, GUMS, Prima, CA/CRL distribution IGTF –And ….. IGTF RA human infrastructure is functioning

6 5 April 2006D. Olson, NIST PKI Workshop6 How do we use PKI? DOEGrids PKI operated by ESnet is our primary provider. –There is a KCA at Fermilab operating as an SLCS for person certificates, for registered Fermilab computer users. We operate the distributed human RA network to authenticate requests. Signed email & telephone. End Entities hold private keys. OU=Services certs used as SSL certs for host & service identification. Virtual Organizations (VOs) manage users via VOMS servers, using DN of EE and issuer as identifier, and holding additional attributes for authorization.

7 5 April 2006D. Olson, NIST PKI Workshop7 How do we use PKI? (Validation, AuthZ) Certificate validation during grid transaction –Proxy certificates (now some RFC exists) –Trusted CAs & CRL URLs downloaded from VDT –CRL updates using EDG tools on each resource Resource authZ –“Recommended” means is to do Role Based AuthZ by use of Prima & GUMS to interpret VOMS extended proxy certs and map to local UID/GID based on attributes signed by VOMS server. –Many sites use classic pre-WS GSI and tools to download gridmap-file entries from VOMS servers

8 5 April 2006D. Olson, NIST PKI Workshop8 What is wrong with it Incomplete infrastructure for managing user private keys –Just files in users home directory(ies) –Myproxy helps - substitution of private key/passphrase with username/password (huh???) X.509 needs mapping to resource security infrastructure (uid/gid) –Gridmap-file – but proxy does not follow process group, except for reliance upon same uid and it is common practice to map entire VO to single uid. –Ownership of long lived data??? Use short lived proxies to allow single sign-on –then do credential renewal to get long enough lifetime Revocation is cumbersome & slow –Symmetric with initial authentication & certificate issuance


Download ppt "Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006."

Similar presentations


Ads by Google