1 / 15

DataGrid WP 6/CA CA Trust Matrices

DataGrid WP 6/CA CA Trust Matrices. Trinity College Dublin (TCD) Brian Coghlan. Edinburgh JUL -2002. PPARC (UK) NIKHEF (Nethelands) INFN (Italy). Main Partners CERN (Switzerland) ESA/ESRIN (Italy) CNRS (France). EU DataGrid Project. Industrial Partners Datamat (Italy) IBM-UK (UK)

angie
Download Presentation

DataGrid WP 6/CA CA Trust Matrices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DataGrid WP6/CACA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan EdinburghJUL-2002

  2. PPARC (UK) • NIKHEF (Nethelands) • INFN (Italy) • Main Partners • CERN (Switzerland) • ESA/ESRIN (Italy) • CNRS (France) EU DataGrid Project • Industrial Partners • Datamat (Italy) • IBM-UK (UK) • CS-SI (France) • Research and Academic Institutes • CESNET (Czech Republic) • Commissariat à l'énergie atomique (CEA) – France • Computer and Automation Research Institute,  Hungarian Academy of Sciences (MTA SZTAKI) • Consiglio Nazionale delle Ricerche (Italy) • Helsinki Institute of Physics – Finland • Institut de Fisica d'Altes Energies (IFAE) - Spain • Istituto Trentino di Cultura (IRST) – Italy • Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany • Royal Netherlands Meteorological Institute (KNMI) • Ruprecht-Karls-Universität Heidelberg - Germany • Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands • Swedish Research Council - Sweden

  3. EU CrossGrid Project • 21 Partners • led by Cyfronet (Poland) • 11 Countries • Poland • Netherlands • Germany • Spain • Italy • Portugal • Greece • Austria • Slovakia • Cyprus • Ireland

  4. DataGrid:security • No single work package (security is everywhere!) • 3 sub-groups: Authentication, Authorisation, & Co-ordination • Chaired by Dave Kelsey, RAL • Now based on Globus GSI • authentication using PKI (X.509 certificates) • authorization via DataGrid tools • Trying not to mix Authentication and Authorisation • Documents: • Security Requirements and first implementation (D7.5) • Security Design and 2nd implementation (Jan 2003)

  5. DataGrid: authentication • Grids involve N-way contexts • Thus each party is worried about all the others • Back at the CA, each CA wants to evaluate the other CA • EITHER that they meet the CA’s minimum standard • OR that they meet an agreed common standard • EDG focus is on common standard • This results in a Trust Matrix

  6. DataGrid: authentication • involves cross-domain authentication between Grid projects • now 13 approved National Certificate Authorities • includes Registration Authorities – check identity • CNRS (France) acts as “catch-all” CA with RA mechanism to suit • USA (DOE) is a member of the CA group and trust matrix • CrossGrid CAs are currently joining CA group and trust matrix

  7. Matrix of Trust

  8. Matrix of trust • How to establish the trust ? • CA Mgrs check each other against agreed list of minimum requirements • currently require inspection of each CA’s CPS by each other CA • software being developed to aid this process • CP/CPS important • audit of CA procedures will help • none done yet • use 3rd party? • GGF GridCP and CA-Operations WG’s considered important

  9. Matrix of trust • Scaling problems • how many CA’s can we cope with [soon ~20] ? • the process is very manual • personal contacts are fundamental • WANT TO MAKE EVALUATION MORE AUTOMATIC • software being developed to aid this process • based on evaluation of the CA Feature Matrix

  10. DataGrid: CA Feature Matrix

  11. Basic Concepts • Issues: • postulate: (condition)  (issue) • e.g. (BasicConstraints_value ne ‘CA’)  (major issue) • Grading: • i.e. assign an issue a weight • Constraint: • issues of a certain class should be constrained to that class • e.g. many minor issues do not make a major issue • Aggregation: • aggregate graded issues in a measure of ‘severity’ • e.g. (severity @ major) = (graded major issues)limit=1.0

  12. Currently [JUL-2002] • per class: (severity @ class) = (graded class issues)limit=1.0 • max_severity: (severity) for most critical class with issues • postulate: acceptance_level = Tacceptance – (max_severity) • where:Tacceptance == (worst-case max_severity) • e.g, assume: Tacceptance = 3.0 • therefore: max_severity = [0.0 .. 3.0] • and: acceptance_level = [3.0 .. 0.0] • This is the WORKING BASIS for manual evaluation

  13. Auto-evaluation • move to extract issues automatically • from what ? • initially from Feature Matrix • later from CA certs & CRLs ?

  14. Extraction from Feature Matrix • since: (condition)  (graded issue) • then must define condition per feature  {rules} • e.g.: (name eq ‘NIL’) (graded issue) • thus:if (name eq ‘NIL’) (graded issue) == (coefficient @ class) • per class:(severity) == (graded issues)limit=1.0 • EDG can define its common rule set • each CA could define its own overrides to the rule set • ultimately each VO could define its own rule set

  15. Acceptance/Feature Matrices THE END

More Related