Presentation is loading. Please wait.

Presentation is loading. Please wait.

IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.

Published byFlora O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012."— Presentation transcript:

1 IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012

2 Overview SHA-2 at IGTF All Hands – Karlsruhe May 2012 WLCG status – And subsequent discussion EGI status IGTF ongoing Risk Analysis Many thanks to David Groep and Maarten Litmaath for most of the material Aug 2012SHA-2, TAGPMA2

3 SHA-2 @ IGTF All Hands May 2012 From David Groep’s summary of the meeting The SHA-1 risk assessment is ongoing (see later) Clear that, especially on the software and RP side, more testing needs to be done in order to estimate the risks of disrupting the infrastructure and the impact of moving to SHA-2 now However, the only real way of finding out which things break, is by actually doing it – moving early and having the software 'break' in Jan 2013 may in the long run cause less pain for the users than waiting until the last moment and then having to hurry – and be off-line for weeks on end while we try to reconstruct the trust fabric Aug 2012SHA-2, TAGPMA3

4 IGTF All Hands (2) Agreed action items for the CAs ALL IGTF CAs should have or get the capability of issuing SHA-2 based certificates All CAs MUST implement this a.s.a.p, and REPORT on the implementation of SHA-2 issuing capabilities by October 1, 2012 This implementation of SHA-2 should encompass BOTH end-entity certs AND CRLs CAs should schedule to start issuing SHA-2 based certs by January 1, 2013 (only if by December 2012 it is clear that everything will still break in more than one infrastructure may some CAs consider not moving) Aug 2012SHA-2, TAGPMA4

5 IGTF All Hands (3) There should be user explanatory documents describing the move to SHA-2 From Jan 2013 onwards, users SHOULD have the capability of requesting SHA-2 based certs from all CAs CAs MAY consider shortening the validity period for EECs that are still SHA-1 based after 1-1-2013, so that the sunset date for SHA-1 (March 2014) is maintained. This will also encourage users to move to SHA-2 Since software should accept at least SHA‐256 and SHA-512 out of the SHA-2 family of hashes - to ensure that will happen, some CAs should use SHA-256 and others SHA- 512, so there will and should be no IGTF guidance as to which one to choose Aug 2012SHA-2, TAGPMA5

6 IGTF All Hands (4) Action items for RPs the actual use of SHA-2 certs and CAs should be tested for every software release from now – EGI should do the certification and Staged Roll-out of their UMD 2.0 distribution with SHA-2 based certificates – The EGI RT ticket #3078 has been updated for this issue Jules Wolfrat will similarly collect this info from PRACE-RI and its software providers At least SHA-256 and SHA-512 should be tested There are 'test CAs' available for the certification process (e.g. the OpenID based one by NCSA which is already in the experimental IGTF distribution area) – there are several IGTF CAs that will be willing to issue dedicated test certs off their production instance Aug 2012SHA-2, TAGPMA6

7 WLCG status See following slides from Maarten Litmaath about WLCG situation SHA-2 and the move to use of RFC proxies Aug 2012SHA-2, TAGPMA7

8 Update on SHA-2 and RFC proxy support GDB 2012-07-11 Maarten Litmaath CERN

9 Reminder - the problem IGTF would like CAs to move from SHA-1 to SHA-2 signatures ASAP, to anticipate concerns about the long-term safety of the former – See https://twiki.grid.iu.edu/bin/view/Security/HashAlgorithmshttps://twiki.grid.iu.edu/bin/view/Security/HashAlgorithms For WLCG this currently implies using RFC proxies instead of the Globus legacy proxies in use today – See Jan GDB presentation for detailed explanation Switching to using the EMI Common Authentication Library (CANL) may help here: supports SHA-2 with legacy proxies – Will be investigated by the dCache team GSI based delegation not yet supported, should not be hard – Also BeStMan might use it then Maarten Litmaath (CERN)9

10 IGTF plans EUGridPMA/IGTF discussed the matter at various meetings – https://www.eugridpma.org/meetings/2012-01/summary.txt https://www.eugridpma.org/meetings/2012-01/summary.txt Quote: – “The date by which SHA-2 production certs may be issued will be NO LATER than January 2013 (and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way)” That would give us 5 months to get ready for RFC and SHA-2 – Looks impossible, in particular now that this year’s LHC run will be extended a few months into 2013 ! Neither experiments nor sites will want to rock the boat … A Plan B would be desirable  read on … Maarten Litmaath (CERN)10

11 Current state of affairs There are various pieces of middleware and experiment-ware that need to be made ready for SHA-2 or RFC proxy support – SHA-2: dCache, BeStMan (RFC proxies already supported by these) – RFC: Argus, CREAM, WMS, DIRAC, … – Central EGI/OSG/… services – https://twiki.cern.ch/twiki/bin/view/LCG/RFCproxySHA2support https://twiki.cern.ch/twiki/bin/view/LCG/RFCproxySHA2support EGI Operations will help with the assessment All EMI-2 products (released May 21) should support RFC proxies – WMS not yet available – Very little uptake so far – Also SHA-2 should be supported, except for dCache – verified? It may be many weeks before the affected products can be endorsed by UMD for generic deployment on EGI sites – EMI-2 is a major release with many changes OSG did not report additional constraints for their MW Maarten Litmaath (CERN)11

12 Updated phases and milestones (1) 1. Deployment of SW supporting RFC proxies – Proxy usage: Legacy RFC  only in special tests SHA-2  only in special tests – SW supports: Legacy RFC  maybe SHA-2  maybe – Milestone: All deployed SW supports RFC proxies  summer 2013 ? – Additional goal: All deployed SW supports SHA-2, except dCache and BeStMan  summer 2013 ? Maarten Litmaath (CERN)12

13 Updated phases and milestones (2) 2. Switch to RFC proxies  summer 2013 ? 3. Upgrade dCache and BeStMan – Proxy usage: RFC SHA-2  only in special tests – SW supports: RFC SHA-2  maybe – Milestone: All deployed SW supports SHA-2  autumn 2013 ? 4. Introduce SHA-2 CAs  Jan 2014 ? – Plan B ?! Maarten Litmaath (CERN)13

14 Plan B proposal Introduce a new, short-lived WLCG catch-all CA – It would issue SHA-1 certificates to any WLCG member whose CA no longer supports SHA-1 for new certificates Name space “*” Users Hosts, services – Its own cert would be distributed in addition to the IGTF CAs As used to be done for the FNAL KCA – Its lifetime would be 1 or 2 years, just to bridge the gap – It would need to be in place before Jan 2013 Unless IGTF shift their timeline – A significant effort … Our RFC and SHA-2 conversion efforts continue in parallel Maarten Litmaath (CERN)14

15 Discussion WLCG – EUGridPMA since 11 July 2012 Extension of WLCG running into 2013 – And then the data analysis and summer conferences Lots of concern about a WLCG Plan B – Non-unique names and clashes Lots of vetting to be done by WLCG – Risk to other EGI communities – EGI UMD 2.0 should be installed asap – Whatever happens we must work together and avoid a Plan B General agreement that the ability for users still to request SHA-1 certs during 2013 is essential Aug 2012SHA-2, TAGPMA15

16 EGI/WLCG Middleware releases gLite 3.2 – end of security support ranges from 30/4/12 to 31/10/12 depending on the component EMI 1 – end of security support 30/4/13 EMI 2 – first released 21/5/12 UMD 2.0 – the EGI middleware – rel. 2/7/12 – But no Workload Management UMD 2.1 – first with WMS – rel. 6/8/12 Aug 2012SHA-2, TAGPMA16

17 EGI and SHA-2 A document has been prepared (v1.1, Aug 2012) – https://documents.egi.eu/document/1291 https://documents.egi.eu/document/1291 EGI Action plan 1.SHA-2 readiness matrix (tech providers) 2.SHA-2 compliance validation (during provisioning) 3.Production testing of infrastructure (CSIRT) 4.Assessment of impact on Users (Portals, tools etc) Review after EUGridPMA Sep 2012 meeting Aug 2012SHA-2, TAGPMA17

18 IGTF SHA-1 risk assessment See slides shown by David Groep at the IGTF All Hands meeting (May 2012) A document (V0.3) came out of All Hands (link on All Hands agenda) several new elements were identified and added to the ToC We now need active contributors that write substantive elements of the actual risk assessment – in section 4, detailing the course of action for the IGTF and the CAs what will be done once SHA-1 is broken, and what actions do the CAs need to take? – in section 5, detailing the impact on the operational (grid) infrastructure which elements are likely to break when we (suddenly or scheduled) move to SHA-2, and how will RPs and subscribers be impacted? – in section 6 (new): which elements need to be tested beforehand? Aug 2012SHA-2, TAGPMA18

19 Discussion Aug 2012SHA-2, TAGPMA19

Download ppt "IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012."

Similar presentations

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.

MW Readiness WG Update Andrea Manzi Maria Dimou Lionel Cons 10/12/2014.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
HEPiX IPv6 Working Group David Kelsey GDB, CERN 11 Jan 2012.

HEPiX IPv6 Working Group David Kelsey GDB, CERN 11 Jan 2012.
Www.egi.eu EGI-InSPIRE RI-261323 EGI.eu European Grid Infrastructure www.egi.eu EGI-InSPIRE RI-261323 Credential Validation Middleware Requests compiling.

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.
Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.

Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.
European Middleware Initiative (EMI) The Software Engineering Model Alberto Di Meglio (CERN) Interim Project Director.

European Middleware Initiative (EMI) The Software Engineering Model Alberto Di Meglio (CERN) Interim Project Director.
WLCG Technical Evolution Group: Operations and Tools Maria Girone & Jeff Templon Kick-off meeting, 24 th October 2011.

WLCG Technical Evolution Group: Operations and Tools Maria Girone & Jeff Templon Kick-off meeting, 24 th October 2011.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.

Additional Services: Security and IPv6 David Kelsey STFC-RAL.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

Similar presentations

Ads by Google