1. Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org

2. 5 April 2006D. Olson, NIST PKI Workshop2 Contents Overview of OSG Why we use X.509 PKI How we use it What’s wrong with it Comments

3. 5 April 2006D. Olson, NIST PKI Workshop3

4. 5 April 2006D. Olson, NIST PKI Workshop4 www.opensciencegrid.org 21 registered Scientific Virtual Organizations 51 Compute resources, 6 Storage resources (~ 20 additional on integration grid) O(1000) running and O(1000) pending jobs (low usage due to growing pains) Strongest driver today is LHC science program. Many other science programs are also users and participants. Interoperation with EGEE, Teragrid, numerous regional & campus grids. 85% of DOEGrids PKI certificates, ~ 1000 OU=People, 3000 OU=Services

5. 5 April 2006D. Olson, NIST PKI Workshop5 How is Trust Established? (or What does “Trust” mean?) $1B+ science programs have 10+ years scientific, political, technical development phase during which collaborations are established. Many MOUs are signed detailing responsibilities –Construction of machine/accelerator/telescope/… –Construction of experimental equipment/detectors –Computational resource commitments Membership in a scientific collaboration is controlled with governing procedures The research program defines who is supposed to work together.  PKI is a technical detail of the computing plans  The definition of which organizations must trust each other was established before anyone who understands PKI got involved, so the question is “How to trust?” more than “Who to trust?” –However, OSG promotes an opportunistic computing model and would like to match VOs and resource providers with little or no advance agreements.  “Trust” within the PKI means what are the acceptable range of policies and procedures so the computing resource providers and scientists can work together.

6. 5 April 2006D. Olson, NIST PKI Workshop6 Why do we use PKI? Globus GSI We have built and are growing a grid and use whatever security infrastructure is available and practical. Interoperability with the world-wide open science community is essential. –Technical aspects Functioning CA/RA This means Globus pre-WS GSI (& WS GSI) X.509 Additional supporting infrastructure has been deployed: VOMS, GUMS, Prima, CA/CRL distribution –Bureaucratic aspects Ability to establish and maintain trust by sites, VOs, users Accredited CAs IGTFTherefore: TAGPMA and IGTF

7. 5 April 2006D. Olson, NIST PKI Workshop7 How do we use PKI? DOEGrids PKI operated by ESnet is our primary provider. –CN=,OU={People|Services},DC=doegrids,DC=org OSG has asked TAGPMA to accredit CA’s used in the grid community in the america’s and to provide us with the accredited list. We operate the distributed human RA network to authenticate requests. Signed email & telephone. End Entities hold private keys. OU=Services certs used as SSL certs for host & service identification. Virtual Organizations (VOs) manage users via VOMS servers, using DN of EE and issuer as identifier, and holding additional attributes for authorization. –User gets a short lived proxy certificate with an extension holding authZ attributes signed by the VOMS server

8. 5 April 2006D. Olson, NIST PKI Workshop8 How do we use PKI? (Validation, AuthZ) Certificate validation environment during grid transaction –Proxy certificates (RFC 3820) –Trusted CA certs & CRL URLs downloaded from VDT –CRL updates using EDG tools on each resource (from EU DataGrid, now EGEE2) CRLs are only for long lived certs. No tools for revoking just a delegated proxy certificate. Resource authZ –“Recommended” means is to do Role Based AuthZ by use of Prima & GUMS to interpret VOMS extended proxy certs and map to local UID/GID based on attributes signed by VOMS server. –Many sites use classic pre-WS GSI and tools to download grid- mapfile entries from VOMS servers

9. 5 April 2006D. Olson, NIST PKI Workshop9 What is wrong with it (1) Previous slide: In other words, there was a lot of missing infrastructure for using PKI for user authN/authZ for grid transactions. Incomplete infrastructure for managing user private keys –Just files in users home directory(ies) –Standardization of end-user environment in open science community is impossible –Myproxy helps substitution of private key/passphrase with username/password (huh???) Reduce or eliminate end-user private key management –Short Lived Certificate Service (SLCS) profile is moving through TAGPMA, IGTF that will apply to services like KCA (at FNAL & PSC), and a MyProxy-based CA issuing short-lived certs.

10. 5 April 2006D. Olson, NIST PKI Workshop10 What is wrong with it (2) X.509 needs mapping to resource security infrastructure (uid/gid), which is site specific –Gridmap-file but proxy does not follow process group, except for reliance upon same uid and it is common practice to map entire VO to single uid. Maps only DN so same person wanting different roles needs different DNs –Or VOMS/Prima/GUMS infrastructure for role-based access control –Ownership of long lived data??? Use short lived proxies to allow single sign-on –then do credential renewal to get long enough lifetime Revocation is cumbersome & slow –Symmetric with initial authentication & certificate issuance –Site requirements for incident response need faster mechanism to suspend a users privileges Certificate lifecycle management is rocky for us, but not the biggest trouble …

11. 5 April 2006D. Olson, NIST PKI Workshop11 Comments PKI “works reasonably” for server certificates Infrastructure surrounding PKI for end user certificates is incomplete and ad-hoc I hope you all paid close attention to Angela Sasse’s talk yesterday. –I think people understand username/password and email addresses and this should be enough ID tokens for end users. AuthZ infrastructure being tied to PKI suffers from mismatch between user requirements and underlying resource functionality, i.e., the trouble is not due to PKI, just coupled because of PKI-based ID