Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

Published byJulian Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007."— Presentation transcript:

1 On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007

2 What is a Robot A long-lived user certificate –Whose private key is “unprotected” –i.e. not protected with a passphrase Identity –Not tied to a network identity –Tied to a specific user (owner)

3 Why Robots Solve certain tasks –Email encryption –Grid monitoring –Automated data replications or running jobs Different types (extensions) A 1SCP policy defines additional OID

4 Deployment UK first implementation… Now DutchGrid has one too! Meant to –be accepted by the community –gather real life robot experiences –become Robot HOWTO for others to use

5 UK Implementation Robots have names –Name after what they are, not what they do –“GridClient”, “MailCipher”,… What they do… –Depends on use and authorisation –Job sub, data rep, monitoring – GridClient

6 Robot Names Robot DN derived from owner’s DN –Owner DN + an additional CN –/CN=Robot:GridClient –‘:’ can be encoded as printableString –‘:’ does not occur in user or host CNs –Simple algo to find name of owner of robot

7 Robot Names Why use the DN? –DN is used for authorisation –DN is logged into log files –Can easily find user from Robot’s DN Allow disambiguation –/CN=User Name/CN=Robot:Type (314) –No semantics associated to disamb.

8 Robot extensions Must be documented for each type –Documentation can be external to CPS Allows for adding more types NO SERVER EXTENSIONS –MUST NOT be able to act as server –Does not contain network identity

9 How to recognise a robot …from quite a long way away. Check the DN… –Does it have an add’l CN with “Robot:” Check the policyIdentifier –Does it have any Robot 1SCP OID?

10 Security Issues MUST be authorised independently –of the user’s authorisation Private key is “unprotected” –i.e., not by passphrase – “always on” So UK policy requires: –Private key MUST be held on key token Can’t steal the key, physically held on machine

11 Security Issues Robot certificates MUST NOT be shared –Single person responsible for use of robot –CA decides what it is, owner what it does Each Robot has a unique DN –No two Robots share keys

12 Security Issues – RA Owner uses existing certificate/key to apply for a Robot RA op MUST verify that key is protected on key token –Slightly clumsy changes to procedure –Also true when rekeying –Stick with renewals? (+ check owner’s cert)

13 Open Questions Can anyone apply for a robot? –If not, how should it depend on the type? Distinguish simple from powerful robots –Other than by extns –How to enforce what it does (cf Globus services) Bit like object signing extensions –How does CA assert this? Are robots too tied to their owner’s name?

14 Conclusion Robots can simplify and securify Use cases – things otherwise run from proxies or host certs As usual an experimental science –Deployed now, learning from experience –Wider support for tokens improves takeup

Download ppt "On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.

Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Similar presentations

Ads by Google