Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative.

Published byVictor Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative effort David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 davidg@nikhef.nl, orcid.org/0000-0003-1026-6606 http://dx.doi.org/10.6084/m9.figshare.678640

2 www.egi.eu EGI-InSPIRE RI-261323 Outline Aims of a global trust fabric –Elements of trust: technical, vetting, auditing –Participants in the trust fabric Assurance levels –IGTF ‘common criteria’ –Current APs Towards collaborative differentiated LoA –Distributing elements of trust decision –Light-weight Identity Vetting Environment: towards LoA 1+ –Limitations of a ‘LIVE AP’ and new LoA levels Federated MICS and SLCS authorities today 2013-04-11 Towards differentiated collaborative LoA

3 www.egi.eu EGI-InSPIRE RI-261323 Overlapping Communities – Common Trust 2013-04-11 Towards differentiated collaborative LoA Goals allow multiple sources of authority: User, Institute, Community acknowledge both long- and short-term community structures enable access to services and resources and at the same time enable security incident response &c to provide basis for access control decisions by resources providers (both generic and community based) Reduce over-all policy burden by adhering to common criteria

4 www.egi.eu EGI-InSPIRE RI-261323 Participants 2013-04-11 Towards differentiated collaborative LoA Many participants contribute to access control with trustworthy identity and attributes decision rests with the resource … service, site, &c …

5 www.egi.eu EGI-InSPIRE RI-261323 Requirements to fulfil 2013-04-11 Towards differentiated collaborative LoA Incident Response long-term* traceable independent from short-lived community must be revocable correlate with other information sources banning and containment handle Privacy and data protection important ‘unalienable right’ for research correlation of PII among service providers could allow profiling exchange of PII often fraught with issues Measurement and Accounting publication metrics usage metering, billing auditing and compliance monitoring identity lives in a policy ecosystem to protect all participants commensurate to their risk level Access Control Attribute handle unique binding never re-assigned Regulatory compliance need to know who you let in beforehand

6 www.egi.eu EGI-InSPIRE RI-261323 Redistributing responsibilities 2013-04-11 Towards differentiated collaborative LoA Subject (ID) based Effective LoA is retained For given actions, resources, and acceptable residual risk, required ID assurance is a given can shift ‘line’ in identity trust level Action (app) based More constraint actions can lower need for identity LoA (J)SPG VO Portal policy did just that: 4 levels of actions Resource (value) based e.g. access to wireless network does not pose huge risks, so can live with a lower identity LoA (eduroam)

7 www.egi.eu EGI-InSPIRE RI-261323 Trust Element Distribution 2013-04-11 Towards differentiated collaborative LoA Technical elements integrity of the roots of trust integrity of issuance process process incident response revocation capabilities key management credential management incident response Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control Verifiability & Response, mitigation, recovery IGTF Classic elements RP, Community elements

8 www.egi.eu EGI-InSPIRE RI-261323 IGTF Assurance Process 2013-04-11 Towards differentiated collaborative LoA Type and sensitivity of e-Infrastructure services drives the level of assurance required Security and assurance level set to be commensurate –not overly high for ‘commodity’ resources –not too low, as resource owners/providers otherwise start implementing additional controls on top of and over the common criteria –defined in collaboration with resource providers –using transparency and a peer review processes –leveraging our own community organisation mechanisms

9 www.egi.eu EGI-InSPIRE RI-261323 Assurance levels Trust in the assertions by resource and service providers is key Until now, our e-Infrastructure used a single ‘level’ –there are also well-known ‘government’ standards for LoA (US: OMB M-04-04 & NIST SP800-63, Kantara) –but 95/46/EC and 1999/93/EC are not of much use to us and the Nice treaty states that identity is a national matter … –there is rough but not 1:1 correspondence between balanced needs of the providers and users and the Kantara LoA levels 2013-04-11 Towards differentiated collaborative LoA For your interest: Kantara Assurance Levels http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1400-Service+Assessment+Criteria.pdf

10 www.egi.eu EGI-InSPIRE RI-261323 IGTF Trust Structure 2013-04-11 Towards differentiated collaborative LoA Common criteria and model –globally unique and persistent identifier provisioning –not fully normative, but based on minimum requirements Trust is technology agnostic –technology and assurance ‘profiles’ in the same trust fabric –‘classic’traditional public key infrastructure with near-realtime identity betting –‘MICS’dynamic ID provisioning leveraging federations –‘SLCS’on-demand short-lived token generation a basis for ‘arbitrary token’ services –+ experimental, or even new profiles … if there is interest inside IGTF scope! For your interest: IGTF Authentication Profiles http://www.eugridpma.org/guidelines/

11 www.egi.eu EGI-InSPIRE RI-261323 From IGTF to RP IGTF Distribution is not monolithic –Authorities comes in ‘bundles’ for each profile –RPs select one or more ‘profiles’ as sufficient and may add their own authorities as well –e.g: “EGI policy on trusted authorities” accepts Classic, MICS and SLCS And there is no ‘IGTF all’ distribution – on purpose! With more diverse profiles (and LoAs) RPs will make more diverse choices 2013-04-11 Towards differentiated collaborative LoA For your interest: EGI SPG policy on Approval of Certification Authorities, https://documents.egi.eu/document/83

12 www.egi.eu EGI-InSPIRE RI-261323 Collaborative assurance PRACE T1 (“DEISA”) centres –Users run applications across the infrastructure –All originate from a home site inside the infrastructure where they are fully known personally and have gone through a thorough vetting process –Home site distributes this knowledge actively towards the other centres (through a central LDAP) So some of the identity elements of trust already done XSEDE is likely be similar even wLCG is somewhat similar … through CERN HR 2013-04-11 Towards differentiated collaborative LoA I’m hopefully not misrepresenting Jules Wolfrat for PRACE here … redistribution of responsibilities: a new profile

13 www.egi.eu EGI-InSPIRE RI-261323 An IGTF Profile to match ‘Light-weight Identity Vetting Environment’ as seen from the IdP/authority side complemented by the RP to profile full vetting 2013-04-11 Towards differentiated collaborative LoA Vetting LoA scale LoA 0: ‘like conventional unsigned email’ * somewhat my personal view … sorry for bias 1 2 …3,4

14 www.egi.eu EGI-InSPIRE RI-261323 LiveAP and its Caveats Live AP assurance level is different, and rest must be taken up by somebody else But e.g. in EGI –many communities rely on names to enrol people –communities do not keep much of auditable records –users are a-priori unknown to the resource owners –RPs support loosely organised communities –RPs thus need independent authoritative real names 2013-04-11 Towards differentiated collaborative LoA Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control

15 www.egi.eu EGI-InSPIRE RI-261323 Technical trust remains loosing technical trust would make any authentication infrastructure useless so integrity of the issuer has to be retained –just like for the AA Operations Guidelines –similar to the classic, mics and slcs profiles –both issuing system and ID management secure –retention of records for incident response When contracting back-end (university) IdPs the requirements must apply to them as well 2013-04-11 Towards differentiated collaborative LoA

16 www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Light-weight Identity Vetting Environment The Profile 2013-04-11 Towards differentiated collaborative LoA

17 www.egi.eu EGI-InSPIRE RI-261323 Disclaimer LIVE AP is not ready, and IGTF will make significant changes Needs global consensus Target date: ~ Q1 2014 Input, specifically from RPs, very welcome! 2013-04-11 Towards differentiated collaborative LoA

18 www.egi.eu EGI-InSPIRE RI-261323 DRAFT LIVE AP Identity Persistency of name binding –any single subject name in a credential must be linked with one and only one entity for the whole lifetime of the service Naming –name elements […] sufficient to uniquely identify individual –sourced from ‘reasonable’ systems –real name or pseudonym with compensatory controls: –only in conjunction w/verified name element allowing contact to subject -- and the pseudonymity should be ‘obvious’ Re-issuance, renewal and re-keying –authority should keep enough data to re-vet use of name Tracability requirements –at issuance time the authority should identify user, and that relationship should be documented and verifiable 2013-04-11 Towards differentiated collaborative LoA

19 www.egi.eu EGI-InSPIRE RI-261323 DRAFT LIVE AP Technical We expect a secure, on-line CA system –Long-term commitment, security controls and trained personnel –With FIPS140-2 level 3 or equivalent HDM controlling key –2+ tier system on monitored controlled network revocation capable –so at least better than ssh ;-) Documented, transparent, policy and practices –Including provisions for auditing by peers Some requirements propagate back to upstream IdPs! Credentials in common recognisable formats –Initially X.509v3 certificates, but profile is mostly generic! 2013-04-11 Towards differentiated collaborative LoA

20 www.egi.eu EGI-InSPIRE RI-261323 http://wiki.eugridpma.org/Main/LiveAPSecuredInfra DRAFT will change

21 www.egi.eu EGI-InSPIRE RI-261323 What Happens Next together with the cross-national RPs and national members (proxying national RPs) ‘LIVE AP’ will be developed to full AP guideline –this will introduce a truly new LoA for the first time –LoA higher than Kantara LoA 1, but much lower than 2 (and also lower than classic and MICS, and even <SLCS) –contributions welcome through your RP or national authority membr once reasonable consensus is achieved … –RPs may decide to accept authorities under this profile for (some) of their services. Or not. –don‘t automatically expect all RPs to treat it as equivalent to MICS … unless the RP does its own vetting already 2013-04-11 Towards differentiated collaborative LoA

22 www.egi.eu EGI-InSPIRE RI-261323 Today’s Federated e-Science ID Promo… Towards differentiated collaborative LoA Map colour coding Green: classic accredited authority Blue: federated (+classic) authority Yellow: pending classic accreditation Also in USA: CILogon based on InCommon in Japan: new SLCS by NII Federated ‘translating’ authorities: integrity requirements propagate to all data sources e.g. TERENA Certificate Service eScience MICS, the DFN-AAI SLCS, SWITCHaai SLCS 2013-04-11

23 www.egi.eu EGI-InSPIRE RI-261323 2013-04-11 Towards differentiated collaborative LoA ?

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 The IGTF IOTA Profile towards differentiated assurance levels.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.

INFSO-RI Enabling Grids for E-sciencE Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323,

David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI ,
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Similar presentations

Ads by Google