1 / 11

Authentication Policy David Kelsey CCLRC/RAL d.p.kelsey@rl.ac.uk 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL d.p.kelsey@rl.ac.uk 15 April 2004, Dublin. Outline. Grid Authentication Background Current Status The EU Grid PMA Policy Guidelines TACAR Summary. Grid Authentication Background. Many Grids use the Grid Security Infrastructure (GSI)

axelle
Download Presentation

Authentication Policy David Kelsey CCLRC/RAL d.p.kelsey@rl.ac.uk 15 April 2004, Dublin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication PolicyDavid KelseyCCLRC/RALd.p.kelsey@rl.ac.uk15 April 2004, Dublin

  2. Outline • Grid Authentication Background • Current Status • The EU Grid PMA • Policy Guidelines • TACAR • Summary

  3. Grid Authentication Background • Many Grids use the Grid Security Infrastructure (GSI) • For Authentication • Based on X.509 Public Key Infrastructure (PKI) • The EDG Certification Authorities Coordination Group (CACG) – started in December 2000 • Coordinated the CAs for use by (EU FP5) • EU DataGrid (EDG) • DataTAG • CrossGrid • & Many national Grid projects • Global requirements driven by LCG (HEP)

  4. EDG CACG (2001-03) • User Single “Sign-on” • Once per session (and delegation) • Identity credentials accepted by many Grids • Hierarchical root – not possible in GSI • Most appropriate scale is one CA per nation • Timely Revocation is important • Establish common trust domain • minimum requirements/best practice/peer review • Certificates from trusted CA can be used anywhere • Common repository of trust anchors • Robust Registration Authority procedures are needed • RAs need to be close to the user’s home institute

  5. Current Status – 21 Approved CAsand number of certificates issued to date Germany 364 Greece 49 Italy 1956 Portugal 61 Netherlands 321 Nordic 579 Poland 266 Russia 230 Slovakia 26 UK 1856 Total 12167 Armenia 0 Taiwan 80 CERN 640 Czech Rep 365 France 1400 Cyprus 18 Spain 408 USA 2807 FNAL(US) 1 Canada 570 Ireland 170

  6. EU Grid PMA coverage • Most countries in Europe have a national CA • “Catch-all” for EGEE (France) and SEE-GRID for S.East • Green: CA Accredited • Yellow: being discussed Other Accredited CAs: • DoEGrids (USA) • GridCanada • ASCCG (Taiwan) • ArmeSFO (Armenia) • CERN • Russia (LCG) • FNAL Service CA (USA) • Israel • Pakistan

  7. The EU Grid PMA “Policy Management Authority” • Continues from the EDG CACG www.eugridpma.org • Defines Minimum requirements and Best practices • Accredits Authorities • General authentication – not just PKI • Members • Accredited Authorities • Major relying parties (EGEE, DEISA, SEE-GRID, LCG,…) • TERENA (TACAR) • 1st meeting – April 2004 – Florence (INFN) • Charter approved • David Groep (NIKHEF) appointed as Chair

  8. Authentication Policy Guidelines • Wherever possible • No more than one CA per country • Aim for widest possible cover • PMA does not provide identity assertions • Certificates issued meet or exceed the guidelines • Identity for Grid/eScience Authentication only • No support of data encryption or non-repudiation • No support for financial transactions • No liability!

  9. Policy Guidelines (2) • A single authoritative source for verifying roots of trust is needed (see TACAR) • We must work in the global arena (GGF & gridpma.org) • GSI imposes technical constraints which must be met • The PMA is mainly technical • Development needs technical experts

  10. TACAR • The TERENA Academic CA Repository • Created by task force TF-AACE • Aimed at facilitating the use of PKI in Europe • Repository of “trust anchors” • Like root certificates distributed with web-browsers • NREN CAs and non-for-profit projects (eg Grid) • Published policy and procedures for registration • No evaluation of CA policies or procedures • An important service for Grid Authentication • Authoritative source of roots of trust

  11. Summary • The CACG built a strong base for Grid Authentication • The EU Grid PMA is now instrumental for FP6 Grid projects in the global arena via a single Trust Domain • EGEE, DEISA and SEE-GRID are all relying party members of the PMA and will use this PKI • And other global and national Grids, e.g. LCG • A single common repository for authentication will promote the trust anchor (TACAR)

More Related