Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

Published byAnnabel Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2

2 www.egi.eu EGI-InSPIRE RI-261323 Roles of authentication EUGridPMA and IGTF – international grid trust federation – are about authentication, i.e. establishing identity. Why do you need to establish identity? Access control to resources and services Incident management and auditing Accounting, auditing, &c… Here we focus on authenticating individuals natural persons, hosts, services, software agents 2010-11-25 Establishing identity in EGI2

3 www.egi.eu EGI-InSPIRE RI-261323 Access Control Points 2010-11-25 Establishing identity in EGI3 Authentication each person globally unique name only identification persons may have more than ID Authorization based on the unique AuthN ID grants or denies access several control points - VO must be member of community only work within common AUP - site has list of VOs + ban list

4 www.egi.eu EGI-InSPIRE RI-261323 Coordinating identity: the trust fabric Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination –these guidelines constitute a (technical) policy –the group responsible for setting and verifying these is thus a Policy Management Authority (‘PMA’) needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid,...) –user communities span multiple infrastructures –so the coordination needs to be global as well 2010-11-25 Establishing identity in EGI4

5 www.egi.eu EGI-InSPIRE RI-261323 The EUGridPMA The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines. 2010-11-25 Establishing identity in EGI5 https://www.eugridpma.org/

6 www.egi.eu EGI-InSPIRE RI-261323 EUGridPMA organisation Established April 1 st 2004 by founding members –national identity authorities from the EU DataGrid and CrossGrid CA Coordination Group –EGEE, DEISA, SEE-GRID, TERENA as relying parties Today 46 members –5 cross-national relying parties (EGI,DEISA,OSG,TERENA,wLCG) –41 identity authorities (“CAs”) 2010-11-25 Establishing identity in EGI6 https://www.eugridpma.org/members/

7 www.egi.eu EGI-InSPIRE RI-261323 EUGridPMA Activities Establishing Authentication Guidelines –technical policies defining minimum requirements that authorities must meet or exceed –matches the level of assurance (LoA) needed for the authorization decisions by the relying parties (resource centres, data owners,...) Reviewing compliance of new authorities with respect to these guidelines Periodic peer-reviewed re-assessments Provide technical source of ‘trust anchors’ for accredited authorities –categorised by LoA, verification via TERENA TACAR 2010-11-25 Establishing identity in EGI7 https://www.eugridpma.org/guidelines/

8 www.egi.eu EGI-InSPIRE RI-261323 Global coordination International Grid Trust Federation – IGTF Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA Strongly coordinated: accrediting to common standards 2010-11-25 Establishing identity in EGI8 http://www.igtf.net/

9 www.egi.eu EGI-InSPIRE RI-261323 Implementing the Acceptable CAs EGI policy on Approved Authorities all IGTF Authorities compliant with defined assurance level Grid participants in EGI are supposed to install all approved trust anchors –in as far as allowed by site, organisational, national policies –site, organisational, national policy takes precedence –report deviations to the EGI Security Officer as per the general Grid Security Policy Grid participants may install other trust anchors –e.g. authorities for site or national training purposes –local authorities or local translators (e.g. SARoNGS) 2010-11-25 Establishing identity in EGI9 https://documents.egi.eu/document/83

10 www.egi.eu EGI-InSPIRE RI-261323 EGI ‘CA distribution’ EGI policy supported by technical infrastructure: the ‘ca-policy-egi-core’ package –provided as a convenience service for sites/NGIs –originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’ –collection of trust anchor certificate files & metadata –a re-distribution of the IGTF trust anchors –packaged as RedHat Package Manager (RPM) –provided, for as long as needed by the NGIs, via support (0.05FTE) by EGI-InSPIRE under SA1 –but several sites and NGIs already build their own... 2010-11-25 Establishing identity in EGI10

11 www.egi.eu EGI-InSPIRE RI-261323 Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today –when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations –breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences Effect of sub-setting trust anchors may not be what you would expect, due to –jointness policy requirements for multi-grid affiliates –constituencies & scopes of identity providers in the IGTF and underlying academic federations Trust & AuthN implications 11 2/17/2016 Establishing identity in EGI

12 www.egi.eu EGI-InSPIRE RI-261323 Authentication –basis for granting and denying access by VOs and resource centres –does not grant any access rights in or by itself –allows incident response & auditing of ‘undesired access attempts’ EUGridPMA and IGTF provide –a global authentication trust fabric across infrastructures, –according to scoped technical security policies, –based on many autonomous authentication authorities Standing EGI security policies leverage the IGTF –acknowledges site and national policy primacy –and sub-setting the endorsed set unlikely to have the expected effect Summary 12 2/17/2016 Establishing identity in EGI

13 www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Discussion 2/17/2016 13 Establishing identity in EGI

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI www.egi.eu EGI-InSPIRE RI-261323 Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323,

David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI ,
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.

Similar presentations

Ads by Google