1 / 17

Summary from CA coordination and Security working group meeting

Summary from CA coordination and Security working group meeting. WP4 workshop 2001.06.07 davidg@nikhef.nl. Security related meetings summary. Certification Authorities coordination Organizationally a working group of WP6 Coordinates efforts for certification in various counties

ophira
Download Presentation

Summary from CA coordination and Security working group meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07 davidg@nikhef.nl

  2. Security related meetings summary • Certification Authorities coordination • Organizationally a working group of WP6 • Coordinates efforts for certification in various counties • Gives guidance to new CA’s now setting up • Sets minimum standards for trustworthy CA’s • DataGrid Security coordination meeting • Interested individuals concerned with security in the DataGrid at large • Forum for security architecture discussions • Coordination of security efforts within the WP’s

  3. Certification Authorities • Currently 8 Certification Authorities: • CERN (Pietro Martucci) • INFN (Roberto Cecchini) • DutchGrid/NIKHEF (David Groep) • UKHEP (Andrew Sansum) • CNRS datagrid-fr (Jean-Luc Archimbaud) • LIP (Jorge Gomes) • CESnet (Milan Sova and Daniel Kouril) • Spain is preparing, Russia will start preparing

  4. Certification minimal requirements • Minimal requirements for certification authorities defined • Non-networked machine • Documented Certification Policy and Practice Statement (CP/CPS) • Traceability of CPS in effect at time of signing (using OID’s) • CRL issuing required, lifetime between 7 and 30 days • Relying parties should retrieve CRL preferably every day • There will be no on-site auditing, we will crosscheck each others CP/CPS • Entities should generate own key pairs (CA must not know!) • Activity on recommending best-practice Grid CP/CPS in GGF(DataGrid has no manpower to get heavily involved) • Drafted a list of recommended cert extensions

  5. Certification Authorities in a Fabric • None of the national CAs is prepared to issue host certificatesto all hosts in a farm • OK to apply for gatekeeper certs for LSF masters and such • OK also for test bed 1 hosts with fork job manager • WP4 has already a possible solution: FLIDS • Automatic CRL retrieval, use the GetCerts package from cron soon to be included in WP6 distribution, now from DutchGrid CA sitehttp://certificate.nikhef.nl/

  6. Certification Authorities, Administrative • A ca-coordination mailing is being set up by Dave Kelsey • List can be used for incident reporting • See also http://marianne.in2p3.fr/datagrid/ca/ca.html • Detailed notes to be found from http://www.nikhef.nl/~davidg/grid/

  7. DataGrid Security working group

  8. DG Security-wg aims • Identify security requirements and deliverables witin the WPs • Implications of security on the DataGrid architecture (urgent) • Identify lacking resources • Self-organisation • Extensive discussions planned for Lecce with Steve Tuecke

  9. Security per Work Package (1) • WP1 • Will be managing the user’s identities • Jobs will probably run with the identity of the original user • The applications don’t care, as long as: • Roles can be assigned to users and • Quota can be associated with roles • A user can have multiple roles (in different sessions), but only one cert • WP2 • Same issue with ownership of replicated files. Not resolved yet.

  10. Security per Work Package (2) • WP3 • Will start using MDS-2 in PM9 • Will have added GSI security, but does not use LDAP access rights • No subtree or element access control, just grid mapfile • Only just started thinking about security issues for >PM9 • WP4 • Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS • For grid info services use WP3 framework • “GridGate” should be relabelled “NAT box” • No security comments on install-a-fresh-box use case

  11. Security per Work Package (3) • WP5 • Will store files by uid/gid • Will need a grid mapfile • May be different form the one used by ComputeElement • YAGM: Yet Another Grid Mapfile • WP7 • Interesting: they have three security deliverables and some committed manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also) • No-one in WP7 cares about security at large • Only competent in network-layer security, so work might be done under ATF umbrella, formally staying in WP7 • Once and for all: VPNs are a bad thing. The effort for the VPN test bed is going into a document to prove VPNs are useless • DoS attacks will be the real issue in network security

  12. Security per Work Package (4) • WP8,10 (applications) • Want less fuss with national CA’s (150 counties in LHC!) sorry! • Want single signon: one identity and multiple roles (1 role per session) • Autorization by VO, VO decides on quota and groups • Requirement common to all applications justify a common solution (CAS) • Applications want to keep local site in control, but • Local sites should publish their policies (abstracted) to show they are complying with the agreed MoUs • Want a good USERS GUIDE • WP10 has a lot of sensitive data, encryption preferred on application level • “anonymous ftp” like areas, but restricted to “any biologist”

  13. Policy language • Obvious candidate is the work of the IRTF AAAARCH group • Generic policy language currently an IRTF draft • http://iridal.phys.uu.nl/~aaaarch/doc08/ • Or http://www.aaaarch.org/

  14. Interaction between CE and SE • Details: ATF (Germán) • Some consensus seems to be • Use GridFTP for for remote and local access to a SE • Applications are prepared to refrain from local file system access (not use open(2)) • Except for some scratch storage like /tmp • Legacy applications should pre-declare their files • To prevent rouge applications, the binaries may be signed • The receiving end should verify the signature • Users can make no assumptions about a local identity anywhere (gsi-ssh)

  15. Firewall issues • Current state on port numbers used is unclear • Especially for return ports and user dynamic ports • Nice to have all future access use predefined static ports, • Providing secure gateways into the local fabric • Like the WP4 proposal • To be able to selective block malicious access

  16. User mapping management for PM9 • INFN: LDAP directory of users and groupsgenerates a gridmapfile • URL not yet defined • Manchester: gridmapdir patch • http://www.hep.grid.ac.uk/gridmapdir/ • Possibly included in new Globus release by default • Uid issues: most systems do 4 billion uids, but Linux ≤2.2.x only 64K?

  17. Future of the security working group • Dave Kelsey will propose a somewhat more formal body to the PTB • Should be driven by 3 named persons, to come from the three sites with committed effort (PPARC, INFN, CNRS) • Lot of others should review documents and/or write a few pages for the architecture • Framework for architecture given by DaveK • Requirements by September/October • Final Security architecture deliverable is in PM12 • Detailed notes at http://www.nikhef.nl/~davidg/grid/

More Related