Download presentation
Presentation is loading. Please wait.
Published byBruce French Modified over 9 years ago
1
Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07 davidg@nikhef.nl
2
David Groep – CA and DG security wg – 2001.06.07 - 2 Security related meetings summary u Certification Authorities coordination n Organizationally a working group of WP6 n Coordinates efforts for certification in various counties n Gives guidance to new CA’s now setting up n Sets minimum standards for trustworthy CA’s u DataGrid Security coordination meeting n Interested individuals concerned with security in the DataGrid at large n Forum for security architecture discussions n Coordination of security efforts within the WP’s
3
David Groep – CA and DG security wg – 2001.06.07 - 3 Certification Authorities u Currently 8 Certification Authorities: n CERN (Pietro Martucci) n INFN (Roberto Cecchini) n DutchGrid/NIKHEF (David Groep) n UKHEP (Andrew Sansum) n CNRS datagrid-fr (Jean-Luc Archimbaud) n LIP (Jorge Gomes) n CESnet (Milan Sova and Daniel Kouril) n Spain is preparing, Russia will start preparing
4
David Groep – CA and DG security wg – 2001.06.07 - 4 Certification minimal requirements u Minimal requirements for certification authorities defined n Non-networked machine n Documented Certification Policy and Practice Statement (CP/CPS) n Traceability of CPS in effect at time of signing (using OID’s) n CRL issuing required, lifetime between 7 and 30 days n Relying parties should retrieve CRL preferably every day n There will be no on-site auditing, we will crosscheck each others CP/CPS n Entities should generate own key pairs (CA must not know!) u Activity on recommending best-practice Grid CP/CPS in GGF (DataGrid has no manpower to get heavily involved) u Drafted a list of recommended cert extensions
5
David Groep – CA and DG security wg – 2001.06.07 - 5 Certification Authorities in a Fabric u None of the national CAs is prepared to issue host certificates to all hosts in a farm u OK to apply for gatekeeper certs for LSF masters and such u OK also for test bed 1 hosts with fork job manager u WP4 has already a possible solution: FLIDS Automatic CRL retrieval, use the GetCerts package from cron soon to be included in WP6 distribution, now from DutchGrid CA site http://certificate.nikhef.nl/
6
David Groep – CA and DG security wg – 2001.06.07 - 6 Certification Authorities, Administrative u A ca-coordination mailing is being set up by Dave Kelsey u List can be used for incident reporting u See also http://marianne.in2p3.fr/datagrid/ca/ca.htmlhttp://marianne.in2p3.fr/datagrid/ca/ca.html u Detailed notes to be found from http://www.nikhef.nl/~davidg/grid/
7
DataGrid Security working group
8
David Groep – CA and DG security wg – 2001.06.07 - 8 DG Security-wg aims u Identify security requirements and deliverables witin the WPs u Implications of security on the DataGrid architecture (urgent) u Identify lacking resources u Self-organisation u Extensive discussions planned for Lecce with Steve Tuecke
9
David Groep – CA and DG security wg – 2001.06.07 - 9 Security per Work Package (1) u WP1 n Will be managing the user’s identities n Jobs will probably run with the identity of the original user n The applications don’t care, as long as: s Roles can be assigned to users and s Quota can be associated with roles s A user can have multiple roles (in different sessions), but only one cert u WP2 n Same issue with ownership of replicated files. Not resolved yet.
10
David Groep – CA and DG security wg – 2001.06.07 - 10 Security per Work Package (2) u WP3 n Will start using MDS-2 in PM9 n Will have added GSI security, but does not use LDAP access rights n No sub tree or element access control, just grid mapfile n Only just started thinking about security issues for >PM9 u WP4 n Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS n For grid info services use WP3 framework n “GridGate” should be relabelled “NAT box” n No security comments on install-a-fresh-box use case
11
David Groep – CA and DG security wg – 2001.06.07 - 11 Security per Work Package (3) u WP5 n Will store files by uid/gid n Will need a grid mapfile n May be different form the one used by ComputeElement n YAGM: Yet Another Grid Mapfile u WP7 n Interesting: they have three security deliverables and some committed manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also) n No-one in WP7 cares about security at large n Only competent in network-layer security, so work might be done under ATF umbrella, formally staying in WP7 n Once and for all: VPNs are a bad thing. The effort for the VPN test bed is going into a document to prove VPNs are useless n DoS attacks will be the real issue in network security
12
David Groep – CA and DG security wg – 2001.06.07 - 12 Security per Work Package (4) u WP8,10 (applications) n Want less fuss with national CA’s (150 counties in LHC!) sorry! n Want single signon: one identity and multiple roles (1 role per session) n Autorization by VO, VO decides on quota and groups n Requirement common to all applications justify a common solution (CAS) n Applications want to keep local site in control, but n Local sites should publish their policies (abstracted) to show they are complying with the agreed MoUs n Want a good USERS GUIDE u WP10 has a lot of sensitive data, encryption preferred on application level u “anonymous ftp” like areas, but restricted to “any biologist”
13
David Groep – CA and DG security wg – 2001.06.07 - 13 Policy language u Obvious candidate is the work of the IRTF AAAARCH group u Generic policy language currently an IRTF draft u http://iridal.phys.uu.nl/~aaaarch/doc08/ http://iridal.phys.uu.nl/~aaaarch/doc08/ u Or http://www.aaaarch.org/
14
David Groep – CA and DG security wg – 2001.06.07 - 14 Interaction between CE and SE u Details: ATF (Germán) u Some consensus seems to be n Use GridFTP for for remote and local access to a SE n Applications are prepared to refrain from local file system access (not use open(2)) n Except for some scratch storage like /tmp n Legacy applications should pre-declare their files n To prevent rouge applications, the binaries may be signed n The receiving end should verify the signature n Users can make no assumptions about a local identity anywhere (gsi-ssh)
15
David Groep – CA and DG security wg – 2001.06.07 - 15 Firewall issues u Current state on port numbers used is unclear u Especially for return ports and user dynamic ports u Nice to have all future access use predefined static ports, u Providing secure gateways into the local fabric u Like the WP4 proposal u To be able to selective block malicious access
16
David Groep – CA and DG security wg – 2001.06.07 - 16 User mapping management for PM9 u INFN: LDAP directory of users and groups generates a gridmapfile n URL not yet defined u Manchester: gridmapdir patch n http://www.hep.grid.ac.uk/gridmapdir/ http://www.hep.grid.ac.uk/gridmapdir/ n Possibly included in new Globus release by default Uid issues: most systems do 4 billion uids, but Linux ≤ 2.2.x only 64K?
17
David Groep – CA and DG security wg – 2001.06.07 - 17 Future of the security working group u Dave Kelsey will propose a somewhat more formal body to the PTB u Should be driven by 3 named persons, to come from the three sites with committed effort (PPARC, INFN, CNRS) u Lot of others should review documents and/or write a few pages for the architecture u Framework for architecture given by DaveK u Requirements by September/October u Final Security architecture deliverable is in PM12 u Detailed notes at http://www.nikhef.nl/~davidg/grid/
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.