Скачать презентацию http www eugridpma org TERENA TF-EMC 2 Workshop Скачать презентацию http www eugridpma org TERENA TF-EMC 2 Workshop

54443e9ea8b3611f2c15097f4a8d452c.ppt

  • Количество слайдов: 12

http: //www. eugridpma. org/ TERENA TF-EMC 2 Workshop David Groep, 2004. 11. 04 http: //www. eugridpma. org/ TERENA TF-EMC 2 Workshop David Groep, 2004. 11. 04

A PKI for Grids · PKI model fits the lack of hierarchical relations between A PKI for Grids · PKI model fits the lack of hierarchical relations between users and resources in the Grid · Users can join collaborations (VOs), that are independent of both resources and home organisations · mainly unilateral trust relations (RP/subscriber -> CA) limited mutual trust (CA->CA within PMA) · Both users and services need a credential · Revocation: · of auth. Z via the VOs, · of Auth. N via the CAs (latter only of the identity is compromised) David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 2

The EUGrid. PMA European Grid Authentication Policy Management Authority for e-Science · Coordinates authentication The EUGrid. PMA European Grid Authentication Policy Management Authority for e-Science · Coordinates authentication for people and services for European, national, and related Grid projects EGEE, DEISA, SEEGRID, LCG, … · PMA manages authentication guidelines policies · Trust domain for research and academic grids David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 3

Certificate Authority Coordination · Evolved from the CA Coordination Group in Data. Grid, Cross. Certificate Authority Coordination · Evolved from the CA Coordination Group in Data. Grid, Cross. Grid, LCG, … · collection of national and regional CAs · better local identity vetting · national legislation · all meet or exceed minimum requirements · · identity checking (in-person, photo-ID) physical security (signing key protection, storage) naming (unique certificate names) revocation (updated lists, retrieval) · Clearly defined accreditation procedure · Basic tools and distribution mechanisms David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 4

Accreditation process · Codification of procedures in a CP(S) for each CA · de Accreditation process · Codification of procedures in a CP(S) for each CA · de facto lots of copy/paste, except for vetting sections · Peer-review process for evaluation · comments welcomed from all PMA members · two assigned referees · In-person appearance during the review meeting David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 5

Accredited Authorities · Everyone (almost) in Europe has a national CA · Green: CA Accredited Authorities · Everyone (almost) in Europe has a national CA · Green: CA Accredited · Yellow: being discussed Other Accredited CAs: · · · · · David Groep – [email protected] org Do. EGrids (US) Grid. Canada ASCCG (Taiwan) Arme. SFO (Armenia) CERN Russia (HEP) FNAL Service CA (US) Israel Pakistan TF-EMC 2 meeting, November 4 2004 - 6

The Catch-All CAs Project-centric “catch all” Authorities · For those left out of the The Catch-All CAs Project-centric “catch all” Authorities · For those left out of the rain in EGEE · CNRS “catch-all” (Sophie Nicoud) · coverage for all EGEE partners · For the South-East European Region · regional catch-all CA · For LCG world-wide · Doe. Grids CA (Tony Genovese & Mike Helm, ESnet) · Registration Authorities through Ian Neilson David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 7

Distribution RPM distribution to facilitate deployment projects · validation must be done via TACAR Distribution RPM distribution to facilitate deployment projects · validation must be done via TACAR (or out-of-band means) · releases contain · · · CA root cert CRL URL CA URL namespace-policy file (used by software for enforcement) dependency information (for hierarchical PKIs) · meta-RPMs “ca_policy_eugridpma” for triggering dependencies in install software (yum/apt) · releases every ~ 4 -12 weeks David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 8

Global interoperation · PMAs collaborate bilaterally in an interoperation framework: the International Grid Federation Global interoperation · PMAs collaborate bilaterally in an interoperation framework: the International Grid Federation see www. gridpma. org EUGrid. PMA Americas PMA being formed APGrid. PMA David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 9

Commonality · Common services to all European e. Infrastructure · EUGrid. PMA: · All Commonality · Common services to all European e. Infrastructure · EUGrid. PMA: · All EU Grid infrastructure FP 6 programmes · CAs also cover inter-organisational national projects · TERENA TACAR provides the trust validation · Grid projects rely on TACAR to validate roots-of-trust · Minimum Requirements form bases of IGF · Coherency in AP modelled on EUGrid. PMA · Americas are planning to build an AMSGrid. PMA David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 10

Current topics of discussion · Continuing updates to minimum requirements as experience grows to Current topics of discussion · Continuing updates to minimum requirements as experience grows to comply better with evolving Grid middleware to comply with evolving industry standards · User key hygiene worries abound Can the user be trusted with key care? (hardly…) · Complexity for users, services the server-certificate service! · On-line CA methodologies Guidelines and Minimum Requirements Site-local solutions (SIPS) Active Certificate Stores (credential repositories, escrow services) CA-generated key pairs and ease-of-use David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 11

http: //www. eugridpma. org/ David Groep – chair@eugridpma. org TF-EMC 2 meeting, November 4 http: //www. eugridpma. org/ David Groep – [email protected] org TF-EMC 2 meeting, November 4 2004 - 12