HellasGrid CA & euGridPMA

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

TERENA TF-EMC2 Workshop David Groep,

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

20-21 January 2005 Athens, January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, NTUA, Athens Kanellopoulos.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

© 2007 Open Grid Forum Authentication Service Profile Christos Kanellopoulos 14 th EUGridPMA, Lisbon, PT October 7 th, 2008.

Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

TAG Presentation 18th May 2004 Paul Butler

Grid Computing Security Mechanisms: the state-of-the-art

Public Key Infrastructure (PKI)

JRA3 Introduction Åke Edlund EGEE Security Head

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

Cryptography and Network Security

TAG Presentation 18th May 2004 Paul Butler

Christos Markou Institute of Nuclear Physics NCSR ‘Demokritos’

Organized by governmental sector (National Institute　of information )

Certificate management Miroslav Dobrucký Institute of Informatics SAS

THE STEPS TO MANAGE THE GRID

SWIM Common PKI and policies & procedures for establishing a Trust Framework Kick-off meeting Patrick MANA Project lead 29 November.

Public Key Infrastructure (PKI)

Security in ebXML Messaging

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

جايگاه گواهی ديجيتالی در ايران

Digital Certificates and X.509

MaGrid CA Self audit and update

Fed/ED December 2007 Jim Jokl University of Virginia

Federated Environments and Incident Response: The Worst of Both Worlds

PKI (Public Key Infrastructure)

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

Presentation transcript:

HellasGrid CA & euGridPMA EGEE 3rd Parties Induction Course May 28, 2004 - Demokritos, Athens Kanellopoulos Christos (skanct@physics.auth.gr) HellasGrid CA Manager

PKI and Grids The primary needs for a grid security infrastructure are: Secure communication (authenticated and perhaps confidential) between the grid elements. Support security across organizational boundaries Single Sign On, including delegation of credentials Central concept in the GSI authentication is the Certification Authority and the Certificate

Grid Certificate is encoded in the X.509 certificate format Includes 4 primary pieces of information: A subject name The public key The identity of the CA The digital signature of the named CA Is nothing more than a “passport”. Important: The certificate is used only to authenticate (identify) entities on the Grid.

Grid CA The CA is a trusted 3rd party that is used to certify the link between the public key and the subject in the certificate. is usually a CA at national level Its purpose is to sign certificates for individual who are to access Grid resources, hosts or services In order for a Grid CA to be accepted with the current Globus based european infrastructure, it must be first accredited by the euGridPMA

CACG and euGridPMA CACG was established by the FP5 projects DataGrid & CrossGrid and included other project worldwide as a need to facilitate the deployment of international testbeds for Grid computing by having a commonly recognized way to assert identities. The group was chartered to: Coordinate the CA infrastructure for CrossGrid and DataGrid. Make recommendation to relying parties within the programs regarding the acceptance of the certificates issued by the participating CAs

euGridPMA 23 members from 22 different countries evolution of CACG to a panEuropean body of Grid CA managers, endorsed by the eIRG (thanks much to the efforts of GRNET). 23 members from 22 different countries The PMA is responsible to: Define and issue minimum requirements and best practice documents; these minimum requirements may govern any aspect of the certificate issuance Maintain and revise these documents Accredit authorities in respect to the minimum requirements Be primarily concerned with Grid communities in Europe and their external partners Foster trust relations for authentication purposes within the context of interorganizational resource sharing.

HellasGrid CA (http://pki. physics. auth. gr/hellasgrid-ca - http://ca Was created during the 1st quarter 2002 On May 2002 started the procedure of acceptance by the CACG Acceptance on October 2002 after a 5 month review. From the beginning the scope was to serve any grid projects within Greece in need for certificates Active participation in euGridPMA and GGF CA-Ops WG.

HellasGrid Certificates Entities involved in the certificate life cycle: CA: Certification Authority. It’s purpose is to sign certificates, revoke certificates, renew certificates, issue crls, operate repository, operate ca web site, maintain and revise the HellasGrid CP/CPS RA: Authenticate user requests (certificate requests, revocation requests, renewal requests), communicate directly with the user, forward authenticated requests to the CA, keep a log of each action taken. End entities: certificate, renewal, revocation requests, accept and follow the CP/CPS guidelines

HellasGrid Certificate Issuance Current situation: AUTH provides both CA and the RA for the whole Greece. (the users communicate directly with the CA CrossGrid user @ DEMO CrossGrid user @ AUTH HellasGrid CA EGEE user @ GRNET GridLab user @ NTUA

HellasGrid Certificate Issuance The service is operational for more than 2 years … But there are drawbacks: A lot of bureaucracy is involved Does not scale!

Distributed RA scheme Create distributed RAs that will serve all the locations At least 1 area of: Crete Patra Aegean Athens Ioannina Thessaloniki 1 RA at each Institute as user base grows. CA Crete Athens Aegean RA RA RA

Distributed RA scheme CA Helpdesk RA RA RA Crete Athens Aegean Create distributed RAs that will serve all the locations At least 1 area of: Crete Patra Aegean Athens Ioannina Thessaloniki 1 RA at each Institute as user base grows. CA Helpdesk Crete Athens Aegean RA RA RA

HellasGrid CA Changes Revise the CP/CPS to reflect the new structure Update the ca site to facilitate the need for secure CA-RA communications setup of mailing lists for: Coordination of the RAs End users

The End. Questions?