1 / 13

Establishing Identity in EGI

Establishing Identity in EGI. the authentication trust fabric of the IGTF and EUGridPMA. David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2. Roles of authentication.

yardley
Download Presentation

Establishing Identity in EGI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2

  2. Roles of authentication EUGridPMA and IGTF – international grid trust federation – are about authentication, i.e. establishing identity. Why do you need to establish identity? • Access control to resources and services • Incident management and auditing • Accounting, auditing, &c… Here we focus on authenticating individuals • natural persons, hosts, services, software agents Establishing identity in EGI

  3. Access Control Points • Authorization • based on the unique AuthN ID • grants or denies access • several control points • - VO must be member of community only work within common AUP • - site has list of VOs + ban list • Authentication • each person globally unique name • only identification • persons may have more than ID Establishing identity in EGI

  4. Coordinating identity: the trust fabric • Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination • these guidelines constitute a (technical) policy • the group responsible for setting and verifying these is thus a Policy Management Authority (‘PMA’) • needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid, ...) • user communities span multiple infrastructures • so the coordination needs to be global as well Establishing identity in EGI

  5. The EUGridPMA The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines. Establishing identity in EGI https://www.eugridpma.org/

  6. EUGridPMA organisation • Established April 1st 2004 by founding members • national identity authorities from the EU DataGrid and CrossGrid CA Coordination Group • EGEE, DEISA, SEE-GRID, TERENA as relying parties • Today 46 members • 5 cross-national relying parties(EGI,DEISA,OSG,TERENA,wLCG) • 41 identity authorities (“CAs”) Establishing identity in EGI https://www.eugridpma.org/members/

  7. EUGridPMA Activities • Establishing Authentication Guidelines • technical policies defining minimum requirements that authorities must meet or exceed • matches the level of assurance(LoA) needed for the authorization decisions by the relying parties (resource centres, data owners, ...) • Reviewing compliance of new authoritieswith respect to these guidelines • Periodic peer-reviewed re-assessments • Provide technical source of ‘trust anchors’ for accredited authorities • categorised by LoA, verification via TERENA TACAR Establishing identity in EGI https://www.eugridpma.org/guidelines/

  8. Global coordination • International Grid Trust Federation – IGTF • Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA • Strongly coordinated: accrediting to common standards Establishing identity in EGI http://www.igtf.net/

  9. Implementing the Acceptable CAs • EGI policy on Approved Authoritiesall IGTF Authorities compliant with defined assurance level • Grid participants in EGI are supposed to install all approved trust anchors • in as far as allowed by site, organisational, national policies • site, organisational, national policy takes precedence • report deviations to the EGI Security Officeras per the general Grid Security Policy • Grid participants may install other trust anchors • e.g. authorities for site or national training purposes • local authorities or local translators (e.g. SARoNGS) Establishing identity in EGI https://documents.egi.eu/document/83

  10. EGI ‘CA distribution’ • EGI policy supported by technical infrastructure:the ‘ca-policy-egi-core’ package • provided as a convenience service for sites/NGIs • originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’ • collection of trust anchor certificate files & metadata • a re-distribution of the IGTF trust anchors • packaged as RedHat Package Manager (RPM) • provided, for as long as needed by the NGIs, via support (0.05FTE) by EGI-InSPIRE under SA1 • but several sites and NGIs already build their own... Establishing identity in EGI

  11. Trust & AuthN implications • Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today • when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations • breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences • Effect of sub-setting trust anchors may not be what you would expect, due to • jointness policy requirements for multi-grid affiliates • constituencies & scopes of identity providers in the IGTF and underlying academic federations Establishing identity in EGI

  12. Summary • Authentication • basis for grantingand denying access by VOs and resource centres • does not grant any access rights in or by itself • allows incident response & auditing of ‘undesired access attempts’ • EUGridPMA and IGTF provide • a global authentication trust fabric across infrastructures, • according to scoped technical security policies, • based on many autonomous authentication authorities • Standing EGI security policies leverage the IGTF • acknowledges site and national policy primacy • and sub-setting the endorsed set unlikely to have the expected effect Establishing identity in EGI

  13. Establishing identity in EGI Discussion

More Related