Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Americas Grid Policy Management Authority (TAGPMA) Derek Simmel, TAGPMA Chair June 23, 2015.

Published byLisa Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "The Americas Grid Policy Management Authority (TAGPMA) Derek Simmel, TAGPMA Chair June 23, 2015."— Presentation transcript:

1 The Americas Grid Policy Management Authority (TAGPMA) Derek Simmel, TAGPMA Chair June 23, 2015

2 2 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA Presentation Overview Background Community What is TAGPMA? IGTF Regional PMAs, Profiles and Processes TAGPMA Leadership, Members and CAs TAGPMA Meetings

3 3 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Background Public Key Infrastructure (PKI) –X.509 digital certificates data signed using a secure, cryptographic checksum typically used for identity credentials –hosts, services, people –Certificate Authorities (CAs) securely issue digital certificates –Registration Authorities (RAs) verify identity of end entities requesting certificates –Relying Parties (RPs) any person or organization that trusts a CA and depends (relies) upon the CA to issue certificates –Internet Protocols, e.g., SSL, TLS

4 4 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Background Grid / Cloud computing & Web Services –Distributed computing with standards-based interfaces for secure authentication and secure communications Open Grid Forum (OGF) www.ogf.orgwww.ogf.org Organization for the Advancement of Structured Information Standards (OASIS) www.oasis-open.orgwww.oasis-open.org World Wide Web Consortium www.w3.orgwww.w3.org Certificate Authority/Browser Forum www.cabforum.orgwww.cabforum.org Internet Engineering Task Force www.ietf.orgwww.ietf.org

5 5 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community High Performance Computing (HPC) –primarily with the HPC computational science communities –National and international HPC cyberinfrastructures, e.g., European Grid Infrastructure (EGI) U.S. National Science Foundation (NSF) XSEDE Partnership for Advanced Computing in Europe (PRACE) U.S. NSF & DoE Open Science Grid Worldwide Large Hadron Collider (LHC) Grid (WLCG) High Throughput Computing (HTC) –cloud computing and high-scaling computing on collections of distributed nodes Grid/Cloud Distributed Computing & Storage National, Institutional and Commercial CAs

6 6 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community - EGI

7 7 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community - XSEDE

8 8 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community - PRACE SystemTypeLocationProduction CURIEBull x86 clusterCEA, FranceMarch 2012 FERMIIBM BG/QCINECA, ItalyApril 2012 HornetCray XC40HLRS, GermanyNovember 2014 JUQUEENIBM BG/QJülich, GermanyJanuary 2013 MareNostrumIBM iDataPlexBSC, SpainJune 2013 SuperMUCIBM iDataPlexLRZ, GermanyApril 2012 PRACE Tier-0 Systems

9 9 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community – OSG

10 10 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Community - WLCG Illustration courtesy Ian.Bird@cern.ch Worldwide Large Hadron Collider Grid Tier-0 (CERN): Data recording Initial data reconstruction Data distribution Tier-1 (11 centres): Permanent storage Re-processing Analysis Tier-2 (~130 centres): Simulation End-user analysis

11 11 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center What is TAGPMA? The Americas Grid Policy Management Authority (TAGPMA) is one of three regional PMAs that comprise the Interoperable Global Trust Federation (www.igtf.net)www.igtf.net The purpose of IGTF is to establish and foster strong trust relationships among individuals and institutions worldwide so that trusted authentication and authorization of access by/to people, systems, and services can occur across the Internet Each regional PMA accredits authentication providers and registration authorities within its region IGTF maintains a distribution of trusted CA data that relying parties can download and use in their infrastructures to validate the credentials of users, systems and services that have credentials issued by one of the IGTF-accredited CAs (https://dist.igtf.net)https://dist.igtf.net

12 12 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center IGTF Regional PMAs APGridPMA TAGPMA EUGridPMA

13 13 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center IGTF Accreditation Profiles Classic X.509 CA –Traditional CA operated with secured infrastructure –Classic CAs issue long-term certificates with lifetime up to 400 days –Subscriber identity vetting is face-to-face or equivalent –https://www.igtf.net/ap/classic/IGTF-AP-classic-4-4.pdf MICS: Member Integrated X.509 PKI Credential Services –Online CA that issues certificates based on pre-existing identity data maintained by a federation or large organization –Classic CAs issue long-term certificates with lifetime up to 400 days –http://tagpma.es.net/wiki/pub/Main/TagMICS/IGTF-AP-MICS-1.3.pdf

14 14 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center IGTF Accreditation Profiles continued SLCS: Short-Lived X.509 PKI Credential Services –Online CA that issues short-lived certificates based on pre-existing identity data maintained by a federation or large organization –SLCS CAs issue certificates with a lifetime of up to 1,000,000 seconds –Common example: MyProxy CAs –https://tagpma.es.net/wiki/pub/Main/SLCS2/SLCS-2.2.pdf IOTA: Identifier-Only Trust Assurance –Online CA that issues certificates based on successful authentication to a federated identity management infrastructure –Traceability of issued certificates to subscribers may be limited –Common example: CILogon-Basic CA –http://www.gridpma.org/ap/iota/IOTA-Secured-Infra-AP-1.1.pdf

15 15 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center CA Accreditation Process Membership Application –Organization applies for membership as an AP –TAGPMA members vote to accept/decline membership Member requests accreditation of a CA –Member describes CA and desired CA Profile –A TAGPMA Mentor is assigned –Two TAGPMA member reviewers are assigned Reviewers examine CA Certificate Policy and Certification Practice Statement (CP/CPS) –Reviewers work with applicant to resolve issues –TAGPMA members vote to accept/decline CA Operational Review –Reviewers test operational aspects of CA –Upon successful completion of operational tests, CA is considered “TAGPMA accredited” CA operators prepare and submit CA certificate and data for IGTF distribution –A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to IGTF –IGTF adds the new CA certificate and data to a pre-release collection for testing, and upon successful testing adds it to the next scheduled public IGTF distribution –(optional) The CA operator applies to the TERENA Academic Certification Authority Repository (TACAR) to have their CA certificate added to the TACAR distribution. A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to TACAR for inclusion in the TACAR distribution.

16 16 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA Leadership Chair: Derek Simmel (PSC) –dsimmel@psc.edu Chair for Latin America: Ale Stolk (ULAGrid) –astolk@ula.ve –Coordinates activities with Spanish-speaking partners and members and leads TAGPMA Español meetings Vice Chair: Scott Rea (DigiCert + REBCA) –Scott@DigiCert.com Secretary: Ale Stolk Webmaster: Scott Rea

17 17 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center Current TAGPMA Members OrganizationCountryRespresentativeAP/RP DigiCertUSAScott Rea AP FNALUSAIrwin Gaines AP GridCanadaCanadaAndre Charbonneau AP IBDS ANSPBrazilGabriel von Winckler AP InCommonUSAJim Basney AP NCSAUSAJim Basney AP NERSCUSAJeff Porter AP NICSUSAVictor Hazlewood (Jason Charcalla) AP PSCUSADerek Simmel AP REUNAChileSandra Jaque AP SDSCUSAScott Sakai AP UFFBrazilVinod Rebello AP UNAMMexicoManuel Quintero (Jhonatan López) AP UNIANDESColombiaAndres Holguin AP UNLPArgentinaPaula Venosa (Alejandro Lara) AP ESNetUSADhiva Muruganantham RP OGFUSAAlan Sill RP OSGUSAJim Basney RP REBCAUSAScott Rea RP redCLARAChile/LACLuis A. Núñez RP ULAGridVenezuelaAlejandra Stolk RP WLCGSwitzerlandDave Kelsey RP XSEDEUSAJim Marsteller RP

18 18 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA Classic CAs (14) Argentina (UNLP): –/C=AR/O=e-Ciencia/OU=UNLP/L=CeSPI/CN=PKIGrid Brasil (ANSP, UFF): –/C=BR/O=ANSP/OU=ANSPGrid CA/CN=ANSPGrid CA –/C=BR/O=ICPEDU/O=UFF BrGrid CA/CN=UFF Brazilian Grid Certification Authority Canada (GridCanada): –/C=CA/O=Grid/CN=Grid Canada Certificate Authority Chile (REUNA): –/C=CL/O=REUNACA/CN=REUNA Certification Authority Colombia (UNIANDES): –/C=CO/O=Uniandes CA/O=UNIANDES/OU=DTI/CN=Uniandes CA Mexico (UNAM): –/C=MX/O=UNAMgrid/OU=UNAM/CN=CA

19 19 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA Classic CAs (14) continued U.S.A. (DigiCert, InCommon): –/DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid Root CA /DC=DigiCert-Grid/DC=com/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2 –/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA G2 –[/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority] /C=US/O=Internet2/OU=InCommon/CN=InCommon IGTF Server CA Venezuela (ULAGrid) – has suspended operations until further notice – removed from IGTF Distribution: –/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority

20 20 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA SLCS CAs (6) (All current TAGPMA SLCS CAs are in the U.S.A) FNAL: –/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM NCSA: –/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy CA 2013 –/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=Two Factor CA 2013 NERSC: –/DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA NICS – has suspended operations until further notice – removed from IGTF Distribution: –/DC=EDU/DC=TENNESSEE/DC=NICS/O=National Institute for Computational Sciences/CN=MyProxy PSC: –/C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA

21 21 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA MICS (2) and IOTA (1) CAs (All current TAGPMA MICS and IOTA CAs are in the U.S.A) MICS: –CILogon-Silver: /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1 –NCSA: /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL IOTA: –CILogon-Basic: /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1

22 22 © 2010 Pittsburgh Supercomputing Center © 2015 Pittsburgh Supercomputing Center TAGPMA Meetings TAGPMA members meet monthly via video CERN Vidyo teleconference –2 nd Monday of each month –11:00am Eastern – Spanish language call –11:30am Eastern – English language call TAGPMA Face-to-face meetings –twice per year (once in Latin America, once in North America) –most recent F2F meeting was here at PSC in May 2015 –next F2F meeting is scheduled for Sept. 30 – Oct. 1, 2015 at UNAM, Mexico IGTF All-Hands meetings –once every 18 months – rotates among PMAs –most recent All-Hands meeting was hosted by APGridPMA at Academia Sinica in Taipei, Taiwan during March 2015 –next All-Hands meeting will be hosted by EUGridPMA in late 2016

Download ppt "The Americas Grid Policy Management Authority (TAGPMA) Derek Simmel, TAGPMA Chair June 23, 2015."

Similar presentations

TAGPMA Update OGF28, 15 March 2010 David Kelsey Slides from Roger Impey With some recent updates from Scott Rea.

TAGPMA Update OGF28, 15 March 2010 David Kelsey Slides from Roger Impey With some recent updates from Scott Rea.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.

Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Advanced Computing Services for Research Organisations Bob Jones Head of openlab IT dept CERN This document produced by Members of the Helix Nebula consortium.

Advanced Computing Services for Research Organisations Bob Jones Head of openlab IT dept CERN This document produced by Members of the Helix Nebula consortium.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
5 th APGrid PMA Meeting An Update from the TAGPMA Vinod Rebello Taipei, Taiwan 20th April 2009 The Americas Grid Policy Management Authority.

5 th APGrid PMA Meeting An Update from the TAGPMA Vinod Rebello Taipei, Taiwan 20th April 2009 The Americas Grid Policy Management Authority.
CAOPS-IGTF Session An Update from the TAGPMA Vinod Rebello given by Scott Rea OGF 25, Catania, Italy March 2, 2009 The Americas Grid Policy Management.

CAOPS-IGTF Session An Update from the TAGPMA Vinod Rebello given by Scott Rea OGF 25, Catania, Italy March 2, 2009 The Americas Grid Policy Management.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Similar presentations

Ads by Google