Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, 26-28 Jan 2009.

Published byAngela Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, 26-28 Jan 2009."— Presentation transcript:

1 Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, 26-28 Jan 2009

2 Reviews Review reviews –Doesn’t quite work –Operational Consistency –How to ensure and improve consistency –Automation is better –(Too much automation is dangerous)

3 Housekeeping Web sites: locating repository obligations Consistent interfaces for automated clients? –Or at least URLs? (.info) Cf. Jim’s talk –Review certificates –Review CP/CPS –Locate support contact

4 Reviews Maintaining reviews –Policy (policies get updated) –Operational Use Template Policy framework –Annotations –Needs an interface –Gets confusing?

5 “Reuse” of DN What are all those DNs in the logs –Persons? –Jobs? –MyProxy proxies? Proxied proxies? –Agent with central key or proxy –Shared private keys?

6 “Reuse” of credential 1.Activation of private key –Key token, Unencrypted (host), Encrypted 2.Activation of MyProxy account 3.Intentional use of proxy 4.Proxy use of proxy 5.Unintentional use of proxy or privkey 6.Intentional misuse of proxy or privkey –Host key, user key

7 Security Strengthen security by weakening it –Areas of investigation –How to improve security Campaign for enforcablier security –Make it easier for RPs and opsecs

8 Example Using MyProxy to manage credentials –Single point of, er, something Single sign-on –Re-use of password –But single password is better (in some ways)

9 Using Robots Streaker security Credential automated –Can act on behalf of users, e.g., portal –Can act independently Are these different?

10 Using Robots Robots have names –Using robots for code signing doesn’t make sense If acting on behalf of many users, meaningless? People use host certificates –Hosts can do everything people can do

11 Securitification Communicating systems behaviour –… to admins Communicating user behaviour –… to VOs? What has a certificate done since it was (requested) revoked –And subsequently successfully revoked

12 Recommendations Work with RPs to improve operational security? –Seems like no-brainer –But does mean revealing additional data –And to whom, under which circs? Which areas increase impact –cf. RAT  OSCG et al

13 Auth Profiles Profile bashing –Do they diverge or converge, or neither –Dimensions: ~six dimensional Mixing and matching –Automatic RAs? –Where does the loa W&F live

14 Beyond Authentication? To encrypt or not encrypt –Pro: already have PKI –Con: Certs expire; maintain CRL forever; no consistent way of locating keys (no keyservers)‏ Conclusion: NOT RECOMMENDED

15 Beyond Authentication VOMS –Other services where certificate is relevant Object signing –Who can have it –What does it mean Object signing: –No way to define rights –Except for robots! (or probots!!)‏

16 Back to Authentication Service certificates –Do we still need them? –What does it mean? –Who can have them? –What services can we “issue” Document practices/recommendations

17 Issues for OGF Back to Template CP/CPS Beating the computer? –How to remember your password? What is a strong passphrase/word –How to specify –How to check

18 Issues for OGF Documenting deviations from PKIX And those other aspects of 3647 –E.g., acceptance, suspension, modification –RA Management Key validation –All known key validation parameters Personnel policies

19 Issues for OGF Pinning down those practices? –Like the re-keying question –Template will help here, possibly –But will alone not be sufficient –Disaster recovery Wildcard DNS –(Not the Globus DNS wildcard!)‏

20 Software Sufficient base for common software –Allow local flavours –Certificate management framework Standards, standards, standards –But which ones?

21 Dinner Discussion Topics CRL cache –Severance of undersea cable –External CRL caches –How to redirect clients Chasing miscreants by CRL –Or helping RPs and OCSPs etc –Use cases for “expired” CRLs

22 Conclusion The case for more automation –Humans do too many machine things The case for less automation –Machines do human things  for once try to do it properly

23 Conclusion This is no time for complacency Many things still not on top of other things The case for Template Policy to the rescue™

24 Conclusion More work…? Many things could be improved with better text, descriptions Make little working groups working on work needed to make work work

Download ppt "Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, 26-28 Jan 2009."

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
PKI Implementation in the Real World

PKI Implementation in the Real World
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Portals and Credentials David Groep Physics Data Processing group NIKHEF.

Portals and Credentials David Groep Physics Data Processing group NIKHEF.

Similar presentations

Ads by Google