Скачать презентацию Authentication Policy David Kelsey CCLRC RAL d p kelsey rl Скачать презентацию Authentication Policy David Kelsey CCLRC RAL d p kelsey rl

53227f0bba0057cc45d938069f8e2bfb.ppt

  • Количество слайдов: 11

Authentication. Policy David Kelsey CCLRC/RAL d. p. kelsey@rl. ac. uk 15 April 2004, Dublin Authentication. Policy David Kelsey CCLRC/RAL d. p. [email protected] ac. uk 15 April 2004, Dublin

Outline · · · Grid Authentication Background Current Status The EU Grid PMA Policy Outline · · · Grid Authentication Background Current Status The EU Grid PMA Policy Guidelines TACAR Summary David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 2

Grid Authentication Background · Many Grids use the Grid Security Infrastructure (GSI) · For Grid Authentication Background · Many Grids use the Grid Security Infrastructure (GSI) · For Authentication · Based on X. 509 Public Key Infrastructure (PKI) · The EDG Certification Authorities Coordination Group (CACG) – started in December 2000 · Coordinated the CAs for use by (EU FP 5) · EU Data. Grid (EDG) · Data. TAG · Cross. Grid · & Many national Grid projects · Global requirements driven by LCG (HEP) David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 3

EDG CACG (2001 -03) · User Single “Sign-on” · Once per session (and delegation) EDG CACG (2001 -03) · User Single “Sign-on” · Once per session (and delegation) · Identity credentials accepted by many Grids · Hierarchical root – not possible in GSI · Most appropriate scale is one CA per nation · Timely Revocation is important · Establish common trust domain · minimum requirements/best practice/peer review · Certificates from trusted CA can be used anywhere · Common repository of trust anchors · Robust Registration Authority procedures are needed David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 4

Current Status – 21 Approved CAs and number of certificates issued to date Armenia Current Status – 21 Approved CAs and number of certificates issued to date Armenia 0 Taiwan 80 CERN 640 Czech Rep 365 France 1400 Cyprus 18 Spain 408 USA 2807 FNAL(US) 1 Canada 570 Ireland 170 Germany 364 Greece 49 Italy 1956 Portugal 61 Netherlands 321 Nordic 579 Poland 266 Russia 230 Slovakia 26 UK 1856 Total David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure 12167 Workshop, Dublin- 5

EU Grid PMA coverage · Most countries in Europe have a national CA · EU Grid PMA coverage · Most countries in Europe have a national CA · “Catch-all” for EGEE (France) and SEE-GRID for S. East · Green: CA Accredited · Yellow: being discussed Other Accredited CAs: · · · · · David Kelsey – Authentication Policy – 15 Apr 2004 Do. EGrids (USA) Grid. Canada ASCCG (Taiwan) Arme. SFO (Armenia) CERN Russia (LCG) FNAL Service CA (USA) Israel Pakistan e. Infrastructure Workshop, Dublin- 6

The EU Grid PMA “Policy Management Authority” · Continues from the EDG CACG www. The EU Grid PMA “Policy Management Authority” · Continues from the EDG CACG www. eugridpma. org · Defines Minimum requirements and Best practices · Accredits Authorities · General authentication – not just PKI · Members · Accredited Authorities · Major relying parties (EGEE, DEISA, SEE-GRID, LCG, …) · TERENA (TACAR) · 1 st meeting – April 2004 – Florence (INFN) · Charter approved · David Groep (NIKHEF) appointed as Chair David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 7

Authentication Policy Guidelines · Wherever possible · No more than one CA per country Authentication Policy Guidelines · Wherever possible · No more than one CA per country · Aim for widest possible cover · PMA does not provide identity assertions · Certificates issued meet or exceed the guidelines · Identity for Grid/e. Science Authentication only · No support of data encryption or nonrepudiation · No support for financial transactions · No liability! David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 8

Policy Guidelines (2) · A single authoritative source for verifying roots of trust is Policy Guidelines (2) · A single authoritative source for verifying roots of trust is needed (see TACAR) · We must work in the global arena (GGF & gridpma. org) · GSI imposes technical constraints which must be met · The PMA is mainly technical · Development needs technical experts David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 9

TACAR · The TERENA Academic CA Repository · Created by task force TF-AACE · TACAR · The TERENA Academic CA Repository · Created by task force TF-AACE · Aimed at facilitating the use of PKI in Europe · Repository of “trust anchors” · Like root certificates distributed with webbrowsers · NREN CAs and non-for-profit projects (eg Grid) · Published policy and procedures for registration · No evaluation of CA policies or procedures · An important service for Grid Authentication · Authoritative source of roots of trust David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 10

Summary · The CACG built a strong base for Grid Authentication · The EU Summary · The CACG built a strong base for Grid Authentication · The EU Grid PMA is now instrumental for FP 6 Grid projects in the global arena via a single Trust Domain · EGEE, DEISA and SEE-GRID are all relying party members of the PMA and will use this PKI · And other global and national Grids, e. g. LCG · A single common repository for authentication will promote the trust anchor (TACAR) David Kelsey – Authentication Policy – 15 Apr 2004 e. Infrastructure Workshop, Dublin- 11