1 / 6

Security and Virtual Organizations Workshop

Security and Virtual Organizations Workshop. OSG All Hands Meeting Fermilab March 8, 2010 Mine Altunay maltunay@fnal.gov FNAL . Messages taken from the Identity Management Workshop at Madison.

tprouty
Download Presentation

Security and Virtual Organizations Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Virtual Organizations Workshop OSG All Hands Meeting Fermilab March 8, 2010 Mine Altunay maltunay@fnal.gov FNAL

  2. Messages taken from the Identity Management Workshop at Madison • All VOs (17 responded) very frustrated with the usability of the credentials on users' desktop across web & grid domains. • Certificate lifecycle management: request, retrieve, use, renew, revoke. • Use: import, export, store in browser, email, grid clients • Collaboration =diverse tools = web tools + grid tools • Do not forsake one for the other. • Find a solution that can accommodate both • VOs need a single-sign-on-like environment for all of their collaborative tools. VOs need a unifying access control mechanism for all of their tools. OSG Security 8March10 2

  3. Messages taken from the Identity Management Workshop at Madison • Support for smaller dynamic VOs is a need • light-weight, intuitive (like uname/passwd) access control similar to web-based apps. Shorter time to get credentials and start working on the grid. Currently difficult in the OSG model and technologies we use. • New users are intimidated and inhibited by the infrastructure • The full workshop report is available at https://twiki.grid.iu.edu/bin/view/Security/OsgEsnetWorkshopReport • Actions items are listed • Feel free to add more OSG Security 8March10 3

  4. What Happened since the Workshop • Certificate life-cycle management on the desktop • Analyzing the problem and existing solutions • See Gabriel Ghinita's talk for a discussion • Hard problem; diverse OSes, browsers, and CAs • Hard to integrate certificates with web and other tools • Is this a losing battle, swimming against the current? • Is there an alternative: if we cannot solve the problem, can we get rid of the problem? • Use dominating web authentication mechanisms for web tools; uname/passwd, Shibboleth, OpenID • Derive certificates from web authN mechanisms • What short-lived CAs already do • User certificates only in grid domain • Trade of between usability and security, compromising the security? OSG Security 6Aug09 4

  5. What happened since the Workshop • Support for smaller dynamic VOs is a need • Trying to streamline certificate and VO registry • Simplify certificate request web forms • Automated/instantaneous certificates would help • Would need Short-lived CA to issue • CA need to be backed into an existing user database, like a university registrar or a VO user database • Efforts to better identity vetting at DOEGrids CA • Some improvements, but largely depends on VO Agents' efforts • VO sponsors the identity vetting, so VOs should set time goals for themselves. OSG can implement and enforce these goals OSG Security 8March10 5

  6. What Happened since the Workshop • Time wasted due to CRL outages and expiries • Being watched constantly and relayed a list to IGTF for action • Trying to find an alternative location to host CRLs, isolate sites from individual CA web site problems • VO Risk scenarios • Your turn to talk OSG Security 6Aug09 6

More Related