EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2

EGI-InSPIRE RI Roles of authentication EUGridPMA and IGTF – international grid trust federation – are about authentication, i.e. establishing identity. Why do you need to establish identity? Access control to resources and services Incident management and auditing Accounting, auditing, &c… Here we focus on authenticating individuals natural persons, hosts, services, software agents Establishing identity in EGI2

EGI-InSPIRE RI Access Control Points Establishing identity in EGI3 Authentication each person globally unique name only identification persons may have more than ID Authorization based on the unique AuthN ID grants or denies access several control points - VO must be member of community only work within common AUP - site has list of VOs + ban list

EGI-InSPIRE RI Coordinating identity: the trust fabric Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination –these guidelines constitute a (technical) policy –the group responsible for setting and verifying these is thus a Policy Management Authority (‘PMA’) needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid,...) –user communities span multiple infrastructures –so the coordination needs to be global as well Establishing identity in EGI4

EGI-InSPIRE RI The EUGridPMA The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines Establishing identity in EGI5

EGI-InSPIRE RI EUGridPMA organisation Established April 1 st 2004 by founding members –national identity authorities from the EU DataGrid and CrossGrid CA Coordination Group –EGEE, DEISA, SEE-GRID, TERENA as relying parties Today 46 members –5 cross-national relying parties (EGI,DEISA,OSG,TERENA,wLCG) –41 identity authorities (“CAs”) Establishing identity in EGI6

EGI-InSPIRE RI EUGridPMA Activities Establishing Authentication Guidelines –technical policies defining minimum requirements that authorities must meet or exceed –matches the level of assurance (LoA) needed for the authorization decisions by the relying parties (resource centres, data owners,...) Reviewing compliance of new authorities with respect to these guidelines Periodic peer-reviewed re-assessments Provide technical source of ‘trust anchors’ for accredited authorities –categorised by LoA, verification via TERENA TACAR Establishing identity in EGI7

EGI-InSPIRE RI Global coordination International Grid Trust Federation – IGTF Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA Strongly coordinated: accrediting to common standards Establishing identity in EGI8

EGI-InSPIRE RI Implementing the Acceptable CAs EGI policy on Approved Authorities all IGTF Authorities compliant with defined assurance level Grid participants in EGI are supposed to install all approved trust anchors –in as far as allowed by site, organisational, national policies –site, organisational, national policy takes precedence –report deviations to the EGI Security Officer as per the general Grid Security Policy Grid participants may install other trust anchors –e.g. authorities for site or national training purposes –local authorities or local translators (e.g. SARoNGS) Establishing identity in EGI9

EGI-InSPIRE RI EGI ‘CA distribution’ EGI policy supported by technical infrastructure: the ‘ca-policy-egi-core’ package –provided as a convenience service for sites/NGIs –originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’ –collection of trust anchor certificate files & metadata –a re-distribution of the IGTF trust anchors –packaged as RedHat Package Manager (RPM) –provided, for as long as needed by the NGIs, via support (0.05FTE) by EGI-InSPIRE under SA1 –but several sites and NGIs already build their own Establishing identity in EGI10

EGI-InSPIRE RI Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today –when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations –breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences Effect of sub-setting trust anchors may not be what you would expect, due to –jointness policy requirements for multi-grid affiliates –constituencies & scopes of identity providers in the IGTF and underlying academic federations Trust & AuthN implications 11 2/17/2016 Establishing identity in EGI

EGI-InSPIRE RI Authentication –basis for granting and denying access by VOs and resource centres –does not grant any access rights in or by itself –allows incident response & auditing of ‘undesired access attempts’ EUGridPMA and IGTF provide –a global authentication trust fabric across infrastructures, –according to scoped technical security policies, –based on many autonomous authentication authorities Standing EGI security policies leverage the IGTF –acknowledges site and national policy primacy –and sub-setting the endorsed set unlikely to have the expected effect Summary 12 2/17/2016 Establishing identity in EGI

EGI-InSPIRE RI EGI EGI-InSPIRE RI Discussion 2/17/ Establishing identity in EGI