Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, 26-28 Jan 2009.

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

MyProxy Jim Basney Senior Research Scientist NCSA

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

MyProxy: A Multi-Purpose Grid Authentication Service

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

PKI Implementation in the Real World

Report on Attribute Certificates By Ganesh Godavari.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Grid Security. Typical Grid Scenario Users Resources.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Portals and Credentials David Groep Physics Data Processing group NIKHEF.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

Automated Certificate Management ACME + Let’s Encrypt Richard

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009.

Security Bob Cowles

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Tweaking the Certificate Lifecycle for the UK eScience CA

Presentation transcript:

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009

Reviews Review reviews –Doesn’t quite work –Operational Consistency –How to ensure and improve consistency –Automation is better –(Too much automation is dangerous)

Housekeeping Web sites: locating repository obligations Consistent interfaces for automated clients? –Or at least URLs? (.info) Cf. Jim’s talk –Review certificates –Review CP/CPS –Locate support contact

Reviews Maintaining reviews –Policy (policies get updated) –Operational Use Template Policy framework –Annotations –Needs an interface –Gets confusing?

“Reuse” of DN What are all those DNs in the logs –Persons? –Jobs? –MyProxy proxies? Proxied proxies? –Agent with central key or proxy –Shared private keys?

“Reuse” of credential 1.Activation of private key –Key token, Unencrypted (host), Encrypted 2.Activation of MyProxy account 3.Intentional use of proxy 4.Proxy use of proxy 5.Unintentional use of proxy or privkey 6.Intentional misuse of proxy or privkey –Host key, user key

Security Strengthen security by weakening it –Areas of investigation –How to improve security Campaign for enforcablier security –Make it easier for RPs and opsecs

Example Using MyProxy to manage credentials –Single point of, er, something Single sign-on –Re-use of password –But single password is better (in some ways)

Using Robots Streaker security Credential automated –Can act on behalf of users, e.g., portal –Can act independently Are these different?

Using Robots Robots have names –Using robots for code signing doesn’t make sense If acting on behalf of many users, meaningless? People use host certificates –Hosts can do everything people can do

Securitification Communicating systems behaviour –… to admins Communicating user behaviour –… to VOs? What has a certificate done since it was (requested) revoked –And subsequently successfully revoked

Recommendations Work with RPs to improve operational security? –Seems like no-brainer –But does mean revealing additional data –And to whom, under which circs? Which areas increase impact –cf. RAT  OSCG et al

Auth Profiles Profile bashing –Do they diverge or converge, or neither –Dimensions: ~six dimensional Mixing and matching –Automatic RAs? –Where does the loa W&F live

Beyond Authentication? To encrypt or not encrypt –Pro: already have PKI –Con: Certs expire; maintain CRL forever; no consistent way of locating keys (no keyservers)‏ Conclusion: NOT RECOMMENDED

Beyond Authentication VOMS –Other services where certificate is relevant Object signing –Who can have it –What does it mean Object signing: –No way to define rights –Except for robots! (or probots!!)‏

Back to Authentication Service certificates –Do we still need them? –What does it mean? –Who can have them? –What services can we “issue” Document practices/recommendations

Issues for OGF Back to Template CP/CPS Beating the computer? –How to remember your password? What is a strong passphrase/word –How to specify –How to check

Issues for OGF Documenting deviations from PKIX And those other aspects of 3647 –E.g., acceptance, suspension, modification –RA Management Key validation –All known key validation parameters Personnel policies

Issues for OGF Pinning down those practices? –Like the re-keying question –Template will help here, possibly –But will alone not be sufficient –Disaster recovery Wildcard DNS –(Not the Globus DNS wildcard!)‏

Software Sufficient base for common software –Allow local flavours –Certificate management framework Standards, standards, standards –But which ones?

Dinner Discussion Topics CRL cache –Severance of undersea cable –External CRL caches –How to redirect clients Chasing miscreants by CRL –Or helping RPs and OCSPs etc –Use cases for “expired” CRLs

Conclusion The case for more automation –Humans do too many machine things The case for less automation –Machines do human things  for once try to do it properly

Conclusion This is no time for complacency Many things still not on top of other things The case for Template Policy to the rescue™

Conclusion More work…? Many things could be improved with better text, descriptions Make little working groups working on work needed to make work work