Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07

Published byBruce French Modified over 8 years ago

Similar presentations

Presentation on theme: "Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07"— Presentation transcript:

1 Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07 davidg@nikhef.nl

2 David Groep – CA and DG security wg – 2001.06.07 - 2 Security related meetings summary u Certification Authorities coordination n Organizationally a working group of WP6 n Coordinates efforts for certification in various counties n Gives guidance to new CA’s now setting up n Sets minimum standards for trustworthy CA’s u DataGrid Security coordination meeting n Interested individuals concerned with security in the DataGrid at large n Forum for security architecture discussions n Coordination of security efforts within the WP’s

3 David Groep – CA and DG security wg – 2001.06.07 - 3 Certification Authorities u Currently 8 Certification Authorities: n CERN (Pietro Martucci) n INFN (Roberto Cecchini) n DutchGrid/NIKHEF (David Groep) n UKHEP (Andrew Sansum) n CNRS datagrid-fr (Jean-Luc Archimbaud) n LIP (Jorge Gomes) n CESnet (Milan Sova and Daniel Kouril) n Spain is preparing, Russia will start preparing

4 David Groep – CA and DG security wg – 2001.06.07 - 4 Certification minimal requirements u Minimal requirements for certification authorities defined n Non-networked machine n Documented Certification Policy and Practice Statement (CP/CPS) n Traceability of CPS in effect at time of signing (using OID’s) n CRL issuing required, lifetime between 7 and 30 days n Relying parties should retrieve CRL preferably every day n There will be no on-site auditing, we will crosscheck each others CP/CPS n Entities should generate own key pairs (CA must not know!) u Activity on recommending best-practice Grid CP/CPS in GGF (DataGrid has no manpower to get heavily involved) u Drafted a list of recommended cert extensions

5 David Groep – CA and DG security wg – 2001.06.07 - 5 Certification Authorities in a Fabric u None of the national CAs is prepared to issue host certificates to all hosts in a farm u OK to apply for gatekeeper certs for LSF masters and such u OK also for test bed 1 hosts with fork job manager u WP4 has already a possible solution: FLIDS  Automatic CRL retrieval, use the GetCerts package from cron soon to be included in WP6 distribution, now from DutchGrid CA site http://certificate.nikhef.nl/

6 David Groep – CA and DG security wg – 2001.06.07 - 6 Certification Authorities, Administrative u A ca-coordination mailing is being set up by Dave Kelsey u List can be used for incident reporting u See also http://marianne.in2p3.fr/datagrid/ca/ca.htmlhttp://marianne.in2p3.fr/datagrid/ca/ca.html u Detailed notes to be found from http://www.nikhef.nl/~davidg/grid/

7 DataGrid Security working group

8 David Groep – CA and DG security wg – 2001.06.07 - 8 DG Security-wg aims u Identify security requirements and deliverables witin the WPs u Implications of security on the DataGrid architecture (urgent) u Identify lacking resources u Self-organisation u Extensive discussions planned for Lecce with Steve Tuecke

9 David Groep – CA and DG security wg – 2001.06.07 - 9 Security per Work Package (1) u WP1 n Will be managing the user’s identities n Jobs will probably run with the identity of the original user n The applications don’t care, as long as: s Roles can be assigned to users and s Quota can be associated with roles s A user can have multiple roles (in different sessions), but only one cert u WP2 n Same issue with ownership of replicated files. Not resolved yet.

10 David Groep – CA and DG security wg – 2001.06.07 - 10 Security per Work Package (2) u WP3 n Will start using MDS-2 in PM9 n Will have added GSI security, but does not use LDAP access rights n No sub tree or element access control, just grid mapfile n Only just started thinking about security issues for >PM9 u WP4 n Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS n For grid info services use WP3 framework n “GridGate” should be relabelled “NAT box” n No security comments on install-a-fresh-box use case

11 David Groep – CA and DG security wg – 2001.06.07 - 11 Security per Work Package (3) u WP5 n Will store files by uid/gid n Will need a grid mapfile n May be different form the one used by ComputeElement n YAGM: Yet Another Grid Mapfile u WP7 n Interesting: they have three security deliverables and some committed manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also) n No-one in WP7 cares about security at large n Only competent in network-layer security, so work might be done under ATF umbrella, formally staying in WP7 n Once and for all: VPNs are a bad thing. The effort for the VPN test bed is going into a document to prove VPNs are useless n DoS attacks will be the real issue in network security

12 David Groep – CA and DG security wg – 2001.06.07 - 12 Security per Work Package (4) u WP8,10 (applications) n Want less fuss with national CA’s (150 counties in LHC!) sorry! n Want single signon: one identity and multiple roles (1 role per session) n Autorization by VO, VO decides on quota and groups n Requirement common to all applications justify a common solution (CAS) n Applications want to keep local site in control, but n Local sites should publish their policies (abstracted) to show they are complying with the agreed MoUs n Want a good USERS GUIDE u WP10 has a lot of sensitive data, encryption preferred on application level u “anonymous ftp” like areas, but restricted to “any biologist”

13 David Groep – CA and DG security wg – 2001.06.07 - 13 Policy language u Obvious candidate is the work of the IRTF AAAARCH group u Generic policy language currently an IRTF draft u http://iridal.phys.uu.nl/~aaaarch/doc08/ http://iridal.phys.uu.nl/~aaaarch/doc08/ u Or http://www.aaaarch.org/

14 David Groep – CA and DG security wg – 2001.06.07 - 14 Interaction between CE and SE u Details: ATF (Germán) u Some consensus seems to be n Use GridFTP for for remote and local access to a SE n Applications are prepared to refrain from local file system access (not use open(2)) n Except for some scratch storage like /tmp n Legacy applications should pre-declare their files n To prevent rouge applications, the binaries may be signed n The receiving end should verify the signature n Users can make no assumptions about a local identity anywhere (gsi-ssh)

15 David Groep – CA and DG security wg – 2001.06.07 - 15 Firewall issues u Current state on port numbers used is unclear u Especially for return ports and user dynamic ports u Nice to have all future access use predefined static ports, u Providing secure gateways into the local fabric u Like the WP4 proposal u To be able to selective block malicious access

16 David Groep – CA and DG security wg – 2001.06.07 - 16 User mapping management for PM9 u INFN: LDAP directory of users and groups generates a gridmapfile n URL not yet defined u Manchester: gridmapdir patch n http://www.hep.grid.ac.uk/gridmapdir/ http://www.hep.grid.ac.uk/gridmapdir/ n Possibly included in new Globus release by default Uid issues: most systems do 4 billion uids, but Linux ≤ 2.2.x only 64K?

17 David Groep – CA and DG security wg – 2001.06.07 - 17 Future of the security working group u Dave Kelsey will propose a somewhat more formal body to the PTB u Should be driven by 3 named persons, to come from the three sites with committed effort (PPARC, INFN, CNRS) u Lot of others should review documents and/or write a few pages for the architecture u Framework for architecture given by DaveK u Requirements by September/October u Final Security architecture deliverable is in PM12 u Detailed notes at http://www.nikhef.nl/~davidg/grid/

Download ppt "Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07"

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
The DutchGrid Platform Collaboration of projects from –Computer Science, HEP and service providers Participating and supported projects –Virtual Laboratory.

The DutchGrid Platform Collaboration of projects from –Computer Science, HEP and service providers Participating and supported projects –Virtual Laboratory.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.

GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep

WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep

Similar presentations

Ads by Google