Presentation is loading. Please wait.

Presentation is loading. Please wait.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

Published byBartholomew Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan2 Agenda Day 1 – 4 th December, 2000, CERN –Aims, agenda, intro, etc. –Roundtable status reports –Authentication vs Authorisation –Which CAs? –CA Policies –Naming

3 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan3 Agenda (2) Day 2 – 5 th December, 2000, CERN –CA Hierarchy –Revocation –Scope of certificates –Other Grid projects –Other issues –Summary of decisions/proposals

4 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan4 Attendees Jean-Luc ArchimbaudCNRS, France Roberto CecchiniINFN, Italy Jorge GomesLIP, Portugal Denise HeagertyCERN Dave KelseyRAL, UK Daniel KourilCesnet, Czech Rep. Andrew SansumRAL, UK Apologies from: Francesco Prelz and Guiseppe LoBiondoINFN

5 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan5 Aims of meeting Implement CA(s) for Testbed0 –But also plan for the future Keep it simple! (at least for now) Report to WP6 meeting – Milan 11 Dec Report to ATF? Proposal for authorisation?

6 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan6 Summary of roundtable status National CAs already in place and ready for Testbed0 –Czech Republic –France –Italy –Portugal –UK CERN not yet ready Not sure about status of sites not present

7 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan7 Authentication vs Authorisation User requirement for easy access to resources while system managers need to control access Strong recommendation not to mix these –For non-HEP CAs we will not be able to request the addition of HEP-specific attributes –Industry trends PMI (privilege management infrastructure) –X.509V3 extension fields should only carry authorisation information that is stable and constant over time –“Attribute Certificates” – PKIX IETF working group –Also CAS from Globus

8 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan8 Authentication vs Authorisation (2) –Breaks Globus GSI model –Privacy – public certificate should include minimal information – user may have control over disclosure Recommendation to start a task force on Authorisation –Users want easy access to resources –Initially – grid map-files –then LDAP? Account creation – requires coordination?

9 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan9 Which CAs? Recommendations –Each country/site wishing to join Testbed0 must find a CA willing to issue certificates for them with published and accepted procedures –By Testbed0 cutoff date, decide list of initial CA’s + a catch- all solution –phase out use of CA’s not meeting the minimum standards within 6 months, e.g. existing Globus CA –Should be a small group with responsibility for “accepting” new CA’s

10 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan10 Which CAs? (2) CAs should be aware that we will review after 6 months –At this point new recommendations may be made Short lived CAs may be a good choice for getting started Recommend a maximum lifetime for personal certificates of 1 year

11 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan11 CA Policies for Testbed0 CPS (cert practice statement) for CAs –Try to agree minimum set for Testbed0 or a mechanism for agreement of procedures –Use beyond Testbed0 at decision of each site? –Private key must be offline? –Physical access to CA – controlled area –Off line CA/signing machine? –Security of private key – who? How many? –Minimum Key lengths?

12 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan12 CA Policies for Testbed0 (2) Minimum policy for RA’s –Confirmation from trusted person at each site Identity Request was issued by that person What does it assert? –Method of confirmation (RA to CA) must be specified Telephone?, digitally signed mail –Must be a mechanism for revocation –Owning a certificate is not sufficient for creation of accounts

13 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan13 Naming To date, different choices have been made Longer term, do we want a hierarchical namespace? (o=hep?) Coordination with LDAP namespace? This needs further study How to map single certificate onto multiple accounts?

14 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan14 CA Hierarchy Root CA signs lower level CA certificate –proposed changes to globus toolkit would allow clients and servers to only trust the root CA Pros –Formalises the checking of CPS –Simpler/scaleable configuration for growing number of CAs (if mods made to globus)

15 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan15 CA Hierarchy (2) Cons –Have to trust the root CA –In conflict with generic use of certificates Suggests a common scope Would need dedicated DataGrid CAs –Heavy reliance (unacceptable?) on the private key of the root CA –Compromised or disappearing root CA would cause major problems But could move the root CA Conclude – not a useful idea

16 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan16 Revocation Each CA must maintain a CRL each server/client must regularly copy this CRL from each CA and store it in the “trusted certificates” directory (cron job) Globus (SSL) checks this local copy We need an agreed policy for CA updating its own CRL (e.g. compromised private key)

17 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan17 Scope of certificates Each CA can decide the scope of the certificates it issues. One reason not to use a hierarchy of CA’s Each site is free to choose which CA’s it trusts

18 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan18 Other issues - Security Communication between sites for removing users from authorisation scheme – in addition to revocation of certificate Should this certificate group continue? –With more general mandate than just certificates? Gatekeeper proxy certs –Limited functionality –Globus-rcp needs full function cert (returning job output) –Job for general security task force

19 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan19 Summary of Recommendations Use existing CAs, not necessarily specific to DataGrid Aim to phase out use of Globus CA For those orgs with no CA by cut-off date –find someone else willing to issue certs –We need a catch-all We will provide client/server configuration advice Q: What is the cutoff date? Q: WP6 should advise on “catch-all” CA

20 11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan20 Summary of Recommendations (2) CA Hierarchy – not useful Authorisation in certificate – no! Agree minimum standards for CPS –Topic for future meeting of this group DataGrid should create a Security task force –Beyond testbed0 and certificates Authorisation needs to be tackled –By whom? LDAP + Security + …?

Download ppt "11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK"

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

Similar presentations

Ads by Google