330 likes | 508 Views
2 nd APGrid PMA F2F Meeting. Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN. Osaka University Convention Center October 15. Notes. This room is basically NO FOOD and NO DRINK. But drink can be overlooked  We will have two coffee/tea breaks and a lunch break.
 
                
                E N D
2nd APGrid PMA F2F Meeting Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN Osaka University Convention Center October 15
Notes • This room is basically NO FOOD and NO DRINK. • But drink can be overlooked  • We will have two coffee/tea breaks and a lunch break. • Coffee/tea will be served in front of this room • Lunch will be served in the different building • PRAGMA Welcome Reception will start at 6:30pm at Senri-Hankyu Hotel. • Bus will depart here at 17:18 • Agenda and materials available on the web site at: http://www.apgridpma.org/meetings/index.html • Call for volunteers for taking minutes • Native speakers are appreciated 
Recap of CA, PMA, and IGTF 2nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Yoshio Tanaka APGrid PMA / IGTF Chair AIST, Japan
Outline • History and status of the PMA and IGTF • Introduction of the APGrid PMA • Activity • Responsibility • Obligation • Introduction of the IGTF • Activity • Responsibility • Obligation • Relationship with the PMA • Some notes for operating a certificate authority
Grid Security • GSI is based on X.509 certificates and PKI. • Most organizations are launching their own Certificate Authorities (CA) for issuing end-entity certificates for users, hosts, services. • Proxy Certificates (RFC3820) for single sign on and delegation • A Virtual Organization (VO) is implemented by federations of multiple security domains.
globus globus globus globus globus globus globus globus globus CA CA CA CA CA CA CA CA CA Grid Security (cont’d) • The most popular multi-domain PKI architecture (in Grid) is cross-recognition • Independent CAs would somehow be licensed or audited by a mutually recognized trusted authority. • e.g. • AIST trusts KISTI CA operated by KISTI, Korea. • KISTI trusts AIST GRID CA operated by AIST.
CA CA CA CA CA CA CA CA CA CA CA EUGrid PMA TAG PMA Three PMAs compose IGTF CA APGrid PMA CA CA Regional PMA is responsible for coordination of security policies within the region Status and challenges • Need AuthN and AuthZ federation • within a VO, and between VOs • AuthN federation • foundation for building/experimenting with Grids • need to coordinate security (CA) policies • AuthZ federation • still a grand challenge
Target: AuthN federation • Problems of authentication federations • All CAs should keep the same level of operation. • How the CA is securely operated? • Use HSM? Dedicated CA room? • … • All CAs should have no conflict in policy • How the CA identifies end entities? • Use face-to-face meeting? Telephone? Email? etc. • … • Policy Management Authority (PMA) is a coordination body of CA policies and operations.
EUDG CACG was the pioneer The EU DataGrid in 2000 needed a PKI for the test bed • Both end-user and service/host PKI • CACG (actually David Kelsey) had the task of creating this PKI • for Grid Authentication only • no support for long-term encryption or digital signatures • Single CA was not considered acceptable • Single point of attack or failure • One CA per country, large region or international organization • CA must have strong relationship with RAs • Some pre-existing CAs • A single hierarchy would have excluded existing CAs and was not convenient to support with existing software • Coordinated group of peer CAs was most suitable choice
EUDG CACG was the pioneer (cont’d) • December 2000: First CA coordination meeting for the DataGrid project • March 2001:First version of the minimum requirements 5 CAs: France (CNRS), Portugal (LIP), Netherlands (NIKHEF), CERN, Italy (INFN), UK (UK eScience) • December 2002:Extension to other projects: EU-CrossGrid
March 2003: The Tokyo Accord • … meet at GGF conferences. … • … work on … Grid Policy Management Authority: GRIDPMA.org • develop Minimum requirements – based on EDG work • develop a Grid Policy Management Authority Charter • [with] representatives from major Grid PMAs: • European Data Grid and Cross Grid PMA: 16 countries, 19 organizations • NCSA Alliance • Grid Canada • DOEGrids PMA • NASA Information Power Grid • TERENA • Asian Pacific PMA:AIST, Japan; ASCC, Taiwan
Status of PMAs • Currently, there are three regional PMAs • EUGrid PMA (established May 2004) • Former: EUDG WP6 CA Coordination Group (started in 2002) • TAG PMA • Former: DOEGrid PMA (started in 2002) • APGrid PMA (established June 2004) • Unofficially started in 2003 • Each regional PMA is responsible for • coordination of CA policy within the region • coordination of CA policy with the other regional PMAs • Three PMAs are the founders of the International Grid Trust Federation (IGTF)
European Grid PMA Green: Countries with an accredited CA • 23 of 25 EU member states (all except LU, MT) • + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs: • DoEGrids (.us) • GridCanada (.ca) • CERN • ASGCC (.tw)* • IHEP (.cn)* * Migrated to APGridPMA per Oct 5th, 2005 Slide by courtesy of David Groep (EUGrid PMA chair)
The America’s Grid PMA 14 CAs, 7 Relying Parties • Argentina UNLP • Brazilian Grid CA • CANARIE • DOEGrids • EELA LA Catch all • ESnet/DOE Office Science • FNAL • Mexico UNAM • NCSA • Classic • SLCS CA CA RP • Purdue Univ. TeraGrid • REUNA Chilearn CA • TACC • Root • Classic • SLCS • Venezuela • Univ. of Virginia USHER Dartmouth HEBCA EELA OSG SDSC SLCS TeraGrid THEGrid
Asia Pacific Grid PMA • General Policy Management Authority in Asia Pacific • Not specific for ApGrid, Not specific for PRAGMA… • Launched on June 1st, 2004 • Defines minimum CA requirements • APGrid PMA approved that we accept two levels of CA: • Experimental-level CA • Alternative of the Globus CA • Can be trusted within A-P communities • Production-level CA • Strict management is necessary • Expected to be trusted by international communities • Two memberships • 13 Ex officio membership • 4 General membership
Members (13 + 4) • 2 CA under review • NECTEC (Thailand) • NGO (Singapore) • 1 CA will be ready for review soon • PRAGMA (USA) • Planning • ThaiGrid (Thailand) • General membership • Osaka U. (Japan) • U. of Hong Kong (China) • U. of Hyderabad (India) • U. of Sains Malaysia (Malaysia) • 9 Accredited CAs • In operation • AIST (Japan) • APAC (Australia) • ASGCC (Taiwan) • CNIC (China) • IHEP (China) • KEK (Japan) • KISTI (Korea) • NAREGI (Japan) • Will be in operation • NCHC (Taiwan)
History of IGTF activities • Continuous discussions between AP, EU, and TAG PMA for International Grid Trust Federation. • GGF12 and EUGrid PMA meeting@Brussels, September 2004 • GGF13@Seoul, March 2005 • EUGridPMA meeting@Tallinn, May 2005 • GGF14@Chicago, June 2005 • GGF15@Boston, Oct. 2005 • IGTF was officially launched • APGrid PMA F2F meeting@Beijing, Dec. 2005 • GGF16@Athens, Feb. 2006 • TAGPMA meeting@Rio, March 2006 • GGF17@Tokyo, May 2006 • EUGridPMA meeting@Budapest May 2006 • TAGPMA@Ottawa, July 2006 • GGF18@DC, September 2006 • EUGridPMA meeting@Karlsure, September 2006 • APGridPMA meeting@Osaka, October 2006
Timeline • March 2005: IGTF Draft Federation Document GGF13 • July 27th : APGridPMA approved version 0.7 • September 28th: EUGridPMA approval version 0.9 • October 5th: TAGPMA approved version 1.0 • October 5th: formal foundation of the IGTF Slide by courtesy of David Groep (EUGrid PMA chair)
Agenda • IGTF Logo and style • Tony Genovese, LBNL/ESnet • Updates from regional PMAs (5”) • APGrid PMA (Yoshio) • EUGrid PMA (David) • TAGPMA (Darcy) • Authentication Profiles • Member Integrated Credential Services AP (Tony) (10”) • Classic AP Updates (David) (10”) • Root Certificate AP (Yoshio) (5”) • Profile change process (Yoshio) (5”) • Business issues (Yoshio) (5”) • Review of the mailing list • Distribution frequency • AOB
Scope of the APGrid PMA • Manage the PMA membership • Define charter and minimum CA requirements • Publish related documents • Maintain and revise the documents • Accredit authorities with respect to the minimum CA requirements • Coordinate auditing and re-certification of accredited authorities • Monitor member CA signing namespaces • Operate a secure collection point for information about accredited CAs • Be primarily concerned with Grid communities in Asia Pacific, and their external partners
APGrid PMA membership • General membership • Osaka U., U. HongKong, U. Hyderabad, USM • No voting rights, no obligation • Ex officio membership • AIST, APAC, ASGCC, CNIC/SDG, IHEPKEK, KISTI, NAREGI, NCHC, NECTECNGO, SDSC, Thai Grid • Voting right, and obligation to vote
APGrid PMA responsibilities • CP/CPS • Responsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific. • Other documents • Charter • Minimum CA requirements • Authentication Profiles
APGrid PMA responsibilities (cont’d) • Accreditation Procedures • A prospective authority requests the PMA to be approved as a production-level CA. • The prospective authority sends the CP/CPS and the other related documents to the PMA • The chair will ask two PMA members to review the CP/CPS in details. All the other PMA members must review the CP/CPS as well. • If the first version has obvious inconsistencies, the chair may defer appointing the referees until the appropriate changes have been implemented. • After sufficient iteration the CP/CPS is considered ready for presentation at the meeting. • At the meeting, it should be presented in person to the PMA. • Based on the comments by the assigned reviewers and the discussion in the meeting, the prospective authority may either be approved immediately by the PMA, or this may be deferred until the recommended changes are implemented.
APGrid PMA responsibilities (cont’d) • Audit • APGrid PMA is doing external auditing • This is an unique activity, but the other two PMAs are interested in auditing. • Operation • Every CA must be responsible for its operation. • The PMA is NOT an operation unit byt a policy management authority. • Obligation • All PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.
General Architecture of the IGTF • Member PMAs are responsible for accrediting authorities • The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. • Each AP is assigned by the IGTF to a specific member PMA. • Classic AP (EUGrid PMA) • Short Lived Credential Services (SLCS) AP (TAGPMA) • Member Integrated Credential Services (MICS) AP (TAGPMA)
General Architecture of the IGTF (cont’d) • Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs. • All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes before the modified AP will come into effect. • Example: • EUGridPMA proposed to change Classic AP and they approved at the last meeting. • APGird PMA will review the proposed new Classic AP at this meeting.
General Architecture of the IGTF (cont’d) • Authorities accredited by a PMA are always subject to the policies and practices of a specific AP as decided by the accrediting PMA. • Any changes to the policy and practices of a authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
Requirements for accredited authorities • Maintain at least one contact mechanism which must allow for un-moderated access to report problems and faults regarding the authority by the relying parties and genral public. • This point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-publishing. • Must disclose to the accrediting PMA and to the general public its documented policies and practices.
Implementation of the federation • Each PMA maintains information of all accredited CAs. • Root certificate • CRL Distribution Point • Point of contact • Signing policy file • Point to the CP/CPS • Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distribution • No hierarchies. All accredited CAs are included in a flat structure • Once you will be accredited by the APGrid PMA, you will be an IGTF-accredited CA • IGTF CA distribution is released in every three weeks • David Groep will notify all member CAs the plan of the new release to ask reports of any updates. • Distribution frequency is flexible. • The information is stored in the CVS repository maintained by the EUGrid PMA • Yoshio, Mason, and Darcy have accounts on the CVS server • If you have modified CA cert, etc., please let me know. • IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site. • APGrid PMA is planning to mirror the CVS server as wel.
Implementation of the federation (cont’d) • IGTF maintains an ML for announcement • IGTF: igtf-general@gridpma.org • APGrid PMA: members@apgridpma.org • EUGrid PMA: dg-eur-ca@services.cnrs.fr • TAGPMA: tagpma-general@tagpma.org • IGTF-general@gridpma.org
Appendix: Issues to be considered for operating authorities • Read authentication profile and minimum CA requirements carefully • Design your CA (some of the issues need to be considered) • Applicability of issued certificates • CA/RA responsibilities • Identity validation process of end entities • Implementation • Structure of CA: online or offline? • Structure of RAs network • Secure communication of RAs and CA • Web repository • Archived logs • Properties of CA, user, host and service certificates and private keys: • Certificate DNs • Certificate extensions
Appendix: Issues to be considered for operating authorities (cont’d) • Draft CP/CPS • Implement and operate the CA • MUST COMPLY with the CP/CPS • Auditor is especially interested in • How the lifecycle of certificates is kept secure. • How a CSR is sent to RA/CA • Identity vetting (F2F) • How the RA communicate with the CA • How the CA signing machine is securely administrated. • Hardware • Operation • CA private key • How the issued certificate will be sent to the end entity • Are archived logs enough to trace anything if something wrong would happen?
Summary • You are a member of the APGrid PMA as well as the IGTF • You have responsibility for being a member of the APGrid PMA and the IGTF • Your CA must appropriately be operated and comply with the CP/CPS • PMA was developed based on grass-root approach, but it has become globally-recognized organization. • Your contribution is necessary for further development of PMA and IGTF.