Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Functional component terminology - thoughts C. Tilton.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
WebFTS as a first WLCG/HEP FIM pilot
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
APGridPMA Update Eric Yen APGridPMA August, 2014.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
LCG Security Status and Issues
Assessing Combined Assurance
Assessing Combined Assurance
Presentation transcript:

Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk

Introduction I represent WLCG on the PMAs of the International Grid Trust Federation (IGTF) –A “relying party” member –Our needs should be taken into account For years the various identity vetting and naming rules have been stable Now new large-scale academic federations are being deployed –And there are new IGTF Authentication profiles We need to confirm or redefine the WLCG position on these matters 8 Apr 20092Identity Management - D Kelsey

History EU DataGrid CA Coordination Group –Started back in Dec 2000 No clear statement of identity assurance requirements (what quality was required) –We knew we had to meet the needs of many VOs and Sites (some with serious security needs) –Deliberately raised the “bar” fairly high Min Requirements (V1 – March 2001) – was vague! –An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method 8 Apr 2009Identity Management - D Kelsey3

History (2) “acceptable procedure” was gradually refined to be –Face-to-face identity vetting with valid government or official photo-ID (requestor to RA) –Some CAs (e.g. DOEGrids) had “trusted third parties” to do the vetting At that time, not properly described in text CA Coordination Group agreed it was acceptable 8 Apr 2009Identity Management - D Kelsey4

Classic CA – current profile (V4.2) Traditional X.509 PKI Certification Authority –Issues long-lived (12 months) certificates Identity rules –Uniqueness and Persistence –Any single subject distinguished name must be linked to one and only one entity –Over the entire lifetime of the CA it must not be linked to any other entity a single entity may have more than one associated subject name, e.g., for different key usages –IGTF ensures that the namespaces of the accredited CAs do not overlap (do not need to use the issuer name) 8 Apr 2009Identity Management - D Kelsey5

Classic CA (2) Registration Authority (RA) –Responsible for identity vetting of all end-entities the subject should contact the RA face-to-face and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA The CA or RA should have documented evidence on retaining the same identity over time. The CA is responsible for maintaining an archive of these records in an auditable form. 8 Apr 2009Identity Management - D Kelsey6

Classic CA (3) Naming rule –If a commonName component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the end- entity This gives a so-called “warm and fuzzy” feeling to VO managers during user registration. A chance the person is who they claim to be. Renewal –The CA or RA should have documented evidence on retaining the same identity over time Usually means keeping a copy of the photo-ID –Name persistence is very important 8 Apr 2009Identity Management - D Kelsey7

MICS CA Member Integrated Credential Services (profile v1.0) An automated CA that issues X.509 credentials to end entities based on an external primary source of identity –A federation or large organisation –With a well established Identity Management System (e.g. Kerberos, Active Directory) Credentials may be long-lived (1 year) The end-entities possess and control their key pair and their activation data. Certificates are aimed to be fully compatible with Classic certificates –Requirements on identity vetting and naming are the same as the Classic profile The CERN CA is a good example 8 Apr 2009Identity Management - D Kelsey8

SLCS CA Short Lived Credential Service (profile V2.1) An automated service The SLCS CA translates credentials (usually authentication tokens) issued from a large site or federation into the X.509 format suitable for use on Grids intended for situations where identity tokens are available from an existing identity service that may not be suitable as the foundation for the creation of long-lived certificates legacy authentication and identity services may have uncertainties about revocation, or other management issues, that preclude translating them into long-term credentials SLCS credentials have lifetime less than 1Msec 8 Apr 2009Identity Management - D Kelsey9

SLCS CA (2) The profile currently requires uniqueness and persistence –Any single subject distinguished name (DN) in a certificate must be linked with one and only one entity for the whole lifetime of the service –Validation of the certificate request establishes the permanent binding between the end-entity, the registered owner, and the subject DN name –This is to ensure that the name, when subsequently reissued, refers to the same end- entity 8 Apr 2009Identity Management - D Kelsey10

SLCS CA (3) Sufficient information must be recorded and archived such that the association of the entity and the subject DN can be confirmed at a later date Qualifying IdMs must suspend or revoke authorization to use the service if the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies No face to face identity vetting required –But… 8 Apr 2009Identity Management - D Kelsey11

SLCS CA (4) The CP/CPS must describe: How the identity (DN) assigned in the certificate is unique within the namespace of the issuer How it attests to the validity of the identity How the identity (DN) assigned in the certificate will never be re- issued to another end-entity during the entire lifetime of the CA How it provides DN accountability, showing how they can verify enough identity information to trace back to the physical person for at least one year from the date of certification, and in keeping with audit retention requirements. In the event that documented traceability is lost, the DN must never be reissued Warm and Fuzzy feeling still required! commonName component should contain an appropriate presentation of the actual name of the end-entity. 8 Apr 2009Identity Management - D Kelsey12

IGTF SLCS CAs WLCG/EGEE today trusts all IGTF accredited CAs –Classic, MICS and SLCS There are a number of IGTF accredited SLCS CA –FNAL KCA (awaiting operational review) –Switch CA (Shibboleth) –NERSC, NCSA, … More on the way – large-scale federations –DFN, Nether-Nordic, … Some are also out there but not accredited –UK Shibboleth CA (no warm and fuzzy name) 8 Apr 2009Identity Management - D Kelsey13

Academic AAI federations Many (most?) NRENs are implementing a national Authentication and Authorisation Infrastructure (AAI) –A federated access service –Identity managed by home institutes (IdP) –Gives access to Service Providers anywhere in the federation (SP) Some are based on Shibboleth (Internet2) –But there are other implementations International interoperation is being coordinated by Geant, TERENA, etc – access to services anywhere “Eduroam” (wireless roaming): an early success story 8 Apr 2009Identity Management - D Kelsey14

Where are you from? Remote authentication 8 Apr 2009Identity Management - D Kelsey15 IdP SP Example from Switch AAI

Identity Schema eduPerson (USA) and SCHAC (EU) Attributes of interest to IGTF world … –eduPersonPrincipalName (ePPN) But private information – IDPs usually refuse to release IdP does not guarantee long-term persistence – eduPersonTargetedID (ePTID) (Commonly used) A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities –auEduPersonSharedToken (Australian Schema) An identifier enabling federation spanning services such as Grid and Repositories Unique, opaque and persistent (displayName may be added) E.g. “John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)” 8 Apr 2009Identity Management - D Kelsey16

Problems with Academic Federations and SLCS Several AAI federations now want to implement an IGTF accredited SLCS CA (DFN, Nether-Nordic) –The CA is an AAI Service Provider –User authenticates in the normal AAI way Gets a short lived certificate IdP will not release ePPN Could use ePTID (lots of federations would like this) –But opaque (and not long-term persistent) There may be pressure on IGTF to relax the current rules on naming in the SLCS profile –How should WLCG respond to this? 8 Apr 2009Identity Management - D Kelsey17

Advantages of federated SLCS There are many advantages to institutes managing the user’s identity –A natural place to manage identity (just once) –User authenticates to SLCS CA in the same way as for other services –No additional RA checks –For large-scale Grid use a good way of solving scaling problems of the current classic CAs The academic federations are keen to support use of Grids 8 Apr 2009Identity Management - D Kelsey18

WLCG-IGTF requirements What do WLCG VOs and Sites require? My personal proposal – for discussion Face to face identity vetting (or trusted third party) –This is still important for Classic and MICS –We still need it (is this true?) User has potential access to very large resources –SLCS has already relaxed this But there are other controls in the primary IdM system 8 Apr 2009Identity Management - D Kelsey19

WLCG requirements (2) Persistence of subject DN –Essential that DN is not reissued to another person This is the anchor for VO membership –Medium-term persistence is therefore essential A few years –What about long-term? (e.g. re-use after 2 years of non-use of name) –my proposal is that we should still push for long- term persistence (lifetime of the CA service) (do you agree?) 8 Apr 2009Identity Management - D Kelsey20

WLCG requirements (3) Appropriate presentation of real name in DN –I asked GDB before about this (few years ago) Very strong feedback that this *is* needed Sites need real names in log files etc VOs need real name during user registration –This is of course what brings us all the data privacy problems with accounting data! And EGI may wish to follow the Academic federations direction and use an opaque ID (ePTID) Personally, I like the Australian shared token together with displayName “John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)” –Do I have a mandate to push for this? –We could try to get this into SCHAC –And resist pressure to change the SLCS profile 8 Apr 2009Identity Management - D Kelsey21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.