1 / 9

WP6/7 Security Summary Budapest 5 Sep 2002

WP6/7 Security Summary Budapest 5 Sep 2002. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. Outline. WP6 CA group (Authentication) WP6 Authorisation group WP7 Security Coordination Group (SCG) Summary and issues. WP6 CA group. Status New “Minimum requirements for a CA” for TB2

darius
Download Presentation

WP6/7 Security Summary Budapest 5 Sep 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WP6/7 Security SummaryBudapest5 Sep 2002 David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Security Summary, Budapest

  2. Outline • WP6 CA group (Authentication) • WP6 Authorisation group • WP7 Security Coordination Group (SCG) • Summary and issues D.P.Kelsey, Security Summary, Budapest

  3. WP6 CA group • Status • New “Minimum requirements for a CA” for TB2 • More on RA procedures • Network connected CA allowed in some circumstances • CrossGrid • German/Karlsruhe CA approved • Greece, Poland and Slovakia under consideration • CERN, FNAL and others proposing a Kerberos-based CA • Long-lived credentials are Kerberos based • KCA then issues short-lived X.509 certs • Collecting statistics of issued certificates • Good progress on acceptance matrix • Automatic extraction of features where possible D.P.Kelsey, Security Summary, Budapest

  4. WP6 CA (2) • Scaling to LCG Data Challenges • Atlas DC1 the most urgent • Request to add new CA’s • Australia, Canada, Japan + many more • We will provide better documentation on the CA acceptance procedure • Interim approval possible via e-mail • Final approval requires presentation at a CA mtg • BUT • We aim to establish “trust” such that Grid sites will accept the use of PKI – this is not easy! • Heavy requirement on robust procedures • Including the registration authorities (to confirm identity) • Sites will not “trust” the use of PKI if we grow too quickly D.P.Kelsey, Security Summary, Budapest

  5. WP6 Authorisation Group • See Luciano Gaido’s slides • http://documents.cern.ch/age?a021246 D.P.Kelsey, Security Summary, Budapest

  6. WP7 Security Coord Group • D7.5 - Security Requirements and TB1 (complete) • D7.6 - Security Design and TB2 (January 2003) • Akos Frohner (CERN) – rep on ATF • Security components • VOMS with WP6Auth/WP2 • Attributes: VO, role(s), group(s), validity – signed by VO • GACL (WP6 - McNab) • SlashGrid (WP6 - McNab) • For dn-based grid homefile system • LCAS, LCMAPS (WP4) • WP2 Security • ACL’s and security elsewhere (WP1,WP3,WP5,…) • Need to verify/audit security design and implementation D.P.Kelsey, Security Summary, Budapest

  7. Authorisation dn User VOMS dn + attrs service authenticate service Java C authr LCAS pre-proc pre-proc acl acl map authr LCMAPS LCAS Coarse-grainede.g. Spitfire WP2 Fine-grainede.g. RepMeC WP2/WP3 Coarse-grainede.g. CE, Gatekeeper WP4 Fine-grainede.g. SE, /grid WP5 D.P.Kelsey, Security Summary, Budapest

  8. VO management (WP6/LCG) • Security groups are concerned about the procedures used to Check/Register users in VO’s • Authorisation more important than Authentication • Gives access to resources! • CA’s do not check the right to use resources • Sites need to be convinced of VO procedures to establish “trust” • VO RA needs to reliably confirm • Right to join VO, i.e. identity • That the user rightfully owns the certificate (?) • BUT…. Ideally, VO’s should be “easy” to create and manage • Will suggest “Minimum requirements” and procedures for creating and operating a VO D.P.Kelsey, Security Summary, Budapest

  9. Summary & issues • Authentication under control • BUT … Problems of scaling to LCG (work with VOs/LCG) • Will sites “trust” the use of PKI (security of private keys)? • Authorisation • Improved VO LDAP for TB2 • New VOMS – first implementation for TB2 (coarse grain) • Fine grained (ACL’s) coming • Need to work more on ACL management • Need more work on VO management and procedures • WP1 – publish list of ACL’s to the RB – is this OK? • Working with WP10 (2 and 5) on medical security requirements • Resource situation • WP2, WP6, WP7 and others all contributing • Authorisation group partially funded by DataTag • BUT, we need to work more on ACL’s D.P.Kelsey, Security Summary, Budapest

More Related