Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb. 1 2007 CAOPS-WG session #1.

Published byErnest Lynch Modified over 7 years ago

Similar presentations

Presentation on theme: "International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb. 1 2007 CAOPS-WG session #1."— Presentation transcript:

1 International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb. 1 2007 CAOPS-WG session #1

2 Agenda Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) IGTF Key Registry and TACAR (20”) –Background (Yoshio) –TACAR experiences (Licia) Authentication Profiles –Classic AP (David) (10”) –Member Integrated Credential Services AP (Darcy?) (10”) –Portal-based Credential Services AP (Yoshio) (10”) Levels of Assurance in certs (15”) –Report from the LoA BOF (Yoshio) What exactly are Host/Service certificates? (Mike) (15”)

3 Agenda Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) IGTF Key Registry and TACAR (20”) –Background (Yoshio) –TACAR experiences (Licia) Authentication Profiles –Classic AP (David) (10”) –Member Integrated Credential Services AP (Darcy?) (10”) –Portal-based Credential Services AP (Yoshio) (10”) Levels of Assurance in certs (15”) –Report from the LoA BOF (Yoshio) What exactly are Host/Service certificates? (Mike) (15”)

4 IGTF Key Registry Proposal by Mike –Should we establish a registry of email certs (a key registry) for members/operators? Agree? How? –Can we take advantage of Milan’s key-ring? –Can we borrow TACAR’s efforts? Where? See Licia’s experience on TACAR

5 Agenda Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) IGTF Key Registry and TACAR (20”) –Background (Yoshio) –TACAR experiences (Licia) Authentication Profiles –Classic AP (David) (10”) –Member Integrated Credential Services AP (Darcy?) (10”) –Portal-based Credential Services AP (Yoshio) (10”) Levels of Assurance in certs (15”) –Report from the LoA BOF (Yoshio) What exactly are Host/Service certificates? (Mike) (15”)

6 Agenda Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) IGTF Key Registry and TACAR (20”) –Background (Yoshio) –TACAR experiences (Licia) Authentication Profiles –Classic AP (David) (10”) –Member Integrated Credential Services AP (Darcy?) (10”) –Portal-based Credential Services AP (Yoshio) (10”) Levels of Assurance in certs (15”) –Report from the LoA BOF (Yoshio) What exactly are Host/Service certificates? (Mike) (15”)

7 Reports from the LoA BOF Date: Jan 31, 14:00-15:30 #participants: 18 Ning Zhang (Manchester Univ.) lead the discussion. Summary –OGSA-AuthN WG: conveyance of LoA in AuthN in protocols, consumption. –CAOPs: CP/CPS guidance –IGTF: Defining the identity levels. –LoA WG (new): criteria that go into LoA assessing & risk vs gap –Authors: MH identification of the gaps between NIST&like standards and grid usage of Ids and assersion –Authors: MJ, NZ –Use case gathering: MH Co-chairs: –Ming Zhang, Yoshio Tanaka

8 What’s the next step? Todo: Define the identity levels. What should we do before the criteria document will be available? –Survey other definitions (NIST, etc.)?

9 Agenda Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) IGTF Key Registry and TACAR (20”) –Background (Yoshio) –TACAR experiences (Licia) Authentication Profiles –Classic AP (David) (10”) –Member Integrated Credential Services AP (Darcy?) (10”) –Portal-based Credential Services AP (Yoshio) (10”) Levels of Assurance in certs (15”) –Report from the LoA BOF (Yoshio) What exactly are Host/Service certificates? (Mike) (15”)

10 Updates of the APGrid PMA OGF19 IGTF Yoshio Tanaka

11 Events since OGF18 F2F October 15 th, in OsakaAudit KISTI CA (September) IGTF CA distribution available from the APGrid PMA web site (mirror of EUGrid PMA web site). http://www.apgridpma.org/distribution/

12 2 nd APGrid PMA F2F Meeting Date: October 15 th Place: Osaka, Japan Participants: 26 Co-located with PRAGMA 11 Workshop

13 Agenda of the F2F meeting 09:00 - 09:15 Welcome Shinji Shimojo 09:15 - 09:45 Status Updates All CAs 09:45 - 10:30 Recap of PMA/IGTF Yoshio Tanaka 11:00 - 11:45 Accreditation NECTEC GOC CA 11:45 - 12:30 In Depth Report KISTI Grid CA 13:30 - 14:15 Invited Talk Yasuo Okabe 14:15 - 17:20 Open Discussions - Procedures for Incident Response - Procedures for Incident Response - Grid Certificate Profile - Grid Certificate Profile - Classic Authentication Profile - Classic Authentication Profile - Short Lived Credential Services AP - Short Lived Credential Services AP - Member Integrated Credential Services AP - Member Integrated Credential Services AP

14 Highlights of the meeting NECTEC GOC CA (Thailand) was accredited as an IGTF-Classic compliant Certificate Authority. Agreed that KISTI Grid CA will be removed from a list of accredited CAs due to some fundamental problems Yoshio reported the results of auditing Sangwan gave a presentation on how to improve their operation No concrete procedures, timeline were presented We decided to remove KISTI CA by voting All members agreed Recommended to launch a new CA (re-accreditation is required). Approved the proposed Classic AP version 4.1-b4 under the two conditions “ keyUsage of CA Cert. MUST be marked as critical ” “ MUST ” should be drop-off to “ SHOULD ”. Retention period of audit log In PRAGMA WS Discussions on writing a new Authentication Profile appropriate for Portal architecture (e.g. GAMA, PURSE).

15 Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) NECTEC (Thailand) Will be in operation NCHC (Taiwan) 1 CA under review NGO (Singapore) Will be re-accredited KISTI (Korea)Planning PRAGMA (USA) ThaiGrid (Thailand) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia)

16 Portal-based Credential Services (tentative) Profile Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST

17 Motivation There are many Grid project which provide portal-based user registration system. GEON Grid, Earth System Grid, etc. These portals issue certificates for users using credential management systems such as GAMA and PURSE, but there is no appropriate profile recognized by IGTF. Key pair is generated not at the client side but at the centralized server. Users do not need to take care about their certificates and private keys. Method of identity vetting can be flexible, but these portals are not doing strict vetting. They use online CA without HSM. Furthermore, some portals do not have a dedicated CA server. No CP/CPS. …

18 Motivation (cont ’ d) Some projects are going to collaborate with the other projects. Need trust federation. PRAGMA is planning to develop a PRAGMA Grid portal which is a single entry point to various PRAGMA applications (e.g. bio, geo science, telescience, etc.). My interest is to define IGTF profile for portal-based credential services to classify their assurance level.

19 Portal server 2 GAMA architecture Portal server 1 GAMA server CACL MyProxyCAS AXIS Web Services wrapper … Servlet container import user retrieve credential Stand-alone applications retrieve credential DB gridportlets Java keystore gama GridSphere Servlet container create user

20 PURSE (Portal-based User Registration Service)

21 Issues need to be considered (1/2) Key generation Not at the client ’ s side but at the central server. Login password for the portal is used as a ass phrase of the private key CA operational requirements Online, but may not use HSM. CA signing machine may not be a dedicated machine. PURSE running the CA signing and MyProxy on the same machine. Identity Vetting GEON uses email address as a source of identity. ESG requests users to put information about PI. But I could obtain a test account (and my certificate) on ESG by email verification. I could not see my certificate … Appropriate ID vetting may differ between projects. How can we define in the profile?

22 Issues need to be considered (2/2) Lifetime of EE cert. Should depend on the identity vetting. If identity vetting is time consuming, it should be long lived. Otherwise, it should be short-lived.Revocation May not be necessary for short-lived certs. Publication and repository Current portals do not provide information about the CA (CP/CPS, CA cert, CRL, etc.) These are completely hidden from users. These must be available as the first step of trust federation. Probably more issues …

Download ppt "International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb. 1 2007 CAOPS-WG session #1."

Similar presentations

Resource WG Breakout. Agenda How we will support/develop data grid testbed and possible applications (1 st day) –Introduction of Gfarm (Osamu) –Introduction.

Resource WG Breakout. Agenda How we will support/develop data grid testbed and possible applications (1 st day) –Introduction of Gfarm (Osamu) –Introduction.
National Institute of Advanced Industrial Science and Technology Asia Pacific Grid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center,

National Institute of Advanced Industrial Science and Technology Asia Pacific Grid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center,
Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Resource/data WG Summary Yoshio Tanaka Mason Katz.

Resource/data WG Summary Yoshio Tanaka Mason Katz.
2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09:00 - 17:20 # Participants: 26.

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09: :20 # Participants: 26.
Resource WG Summary Mason Katz, Yoshio Tanaka. Next generation resources on PRAGMA Status – Next generation resource (VM-based) in PRAGMA by UCSD (proof.

Resource WG Summary Mason Katz, Yoshio Tanaka. Next generation resources on PRAGMA Status – Next generation resource (VM-based) in PRAGMA by UCSD (proof.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
© 2006 Open Grid Forum OGF20 LoA-RG Monday 11:00am Charter Suite 4 Chairs: Ning Zhang and Yoshio Tanaka.

© 2006 Open Grid Forum OGF20 LoA-RG Monday 11:00am Charter Suite 4 Chairs: Ning Zhang and Yoshio Tanaka.
Updates of the APGrid PMA Catania March 3, 2009 Yoshio Tanaka APGridPMA Chair, AIST, Japan.

Updates of the APGrid PMA Catania March 3, 2009 Yoshio Tanaka APGridPMA Chair, AIST, Japan.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.

Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.
National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.

National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
National Institute of Advanced Industrial Science and Technology Status and plans of the APGrid PMA Yoshio Tanaka Grid Technology.

National Institute of Advanced Industrial Science and Technology Status and plans of the APGrid PMA Yoshio Tanaka Grid Technology.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.

Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.
2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN.

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN.

Similar presentations

Ads by Google