Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN."— Presentation transcript:

1 2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN

2 Notes This room is basically NO FOOD and NO DRINK. But drink can be overlooked We will have two coffee/tea breaks and a lunch break. Coffee/tea will be served in front of this room Lunch will be served in the different building PRAGMA Welcome Reception will start at 6:30pm at Senri-Hankyu Hotel. Bus will depart here at 17:18 Agenda and materials available on the web site at: http://www.apgridpma.org/meetings/index.html Call for volunteers for taking minutes Native speakers are appreciated

3 Recap of CA, PMA, and IGTF 2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Yoshio Tanaka APGrid PMA / IGTF Chair AIST, Japan

4 Outline History and status of the PMA and IGTF Introduction of the APGrid PMA Activity Responsibility Obligation Introduction of the IGTF Activity Responsibility Obligation Relationship with the PMA Some notes for operating a certificate authority

5 Grid Security GSI is based on X.509 certificates and PKI. Most organizations are launching their own Certificate Authorities (CA) for issuing end-entity certificates for users, hosts, services. Proxy Certificates (RFC3820) for single sign on and delegation A Virtual Organization (VO) is implemented by federations of multiple security domains.

6 Grid Security (cont ’ d) The most popular multi- domain PKI architecture (in Grid) is cross- recognition Independent CAs would somehow be licensed or audited by a mutually recognized trusted authority. e.g. AIST trusts KISTI CA operated by KISTI, Korea. KISTI trusts AIST GRID CA operated by AIST. CA globus CA CA CA CA CA CA CA CA

7 Status and challenges Need AuthN and AuthZ federation within a VO, and between VOs AuthN federation foundation for building/experimenting with Grids need to coordinate security (CA) policies AuthZ federation still a grand challenge CA CA CA CA EUGrid PMA CA CA CA CA CA CA APGrid PMA CA CA CA CA TAG PMA Regional PMA is responsible for coordination of security policies within the region Three PMAs compose IGTF

8 Target: AuthN federation Problems of authentication federations All CAs should keep the same level of operation. How the CA is securely operated? Use HSM? Dedicated CA room? … All CAs should have no conflict in policy How the CA identifies end entities? Use face-to-face meeting? Telephone? Email? etc. … Policy Management Authority (PMA) is a coordination body of CA policies and operations.

9 EUDG CACG was the pioneer The EU DataGrid in 2000 needed a PKI for the test bed Both end-user and service/host PKI CACG (actually David Kelsey) had the task of creating this PKI for Grid Authentication only no support for long-term encryption or digital signatures Single CA was not considered acceptable Single point of attack or failure One CA per country, large region or international organization CA must have strong relationship with RAs Some pre-existing CAs A single hierarchy would have excluded existing CAs and was not convenient to support with existing software Coordinated group of peer CAs was most suitable choice

10 EUDG CACG was the pioneer (cont ’ d) December 2000: First CA coordination meeting for the DataGrid project March 2001: First version of the minimum requirements 5 CAs: France (CNRS), Portugal (LIP), Netherlands (NIKHEF), CERN, Italy (INFN), UK (UK eScience) December 2002: Extension to other projects: EU-CrossGrid

11 March 2003: The Tokyo Accord … meet at GGF conferences. … … work on … Grid Policy Management Authority: GRIDPMA.org develop Minimum requirements – based on EDG work develop a Grid Policy Management Authority Charter [with] representatives from major Grid PMAs: European Data Grid and Cross Grid PMA: 16 countries, 19 organizations NCSA Alliance Grid Canada DOEGrids PMA NASA Information Power Grid TERENA Asian Pacific PMA: AIST, Japan; ASCC, Taiwan

12 Status of PMAs Currently, there are three regional PMAs EUGrid PMA (established May 2004) Former: EUDG WP6 CA Coordination Group (started in 2002) TAG PMA Former: DOEGrid PMA (started in 2002) APGrid PMA (established June 2004) Unofficially started in 2003 Each regional PMA is responsible for coordination of CA policy within the region coordination of CA policy with the other regional PMAs Three PMAs are the founders of the International Grid Trust Federation (IGTF)

13 European Grid PMA Green: Countries with an accredited CA  23 of 25 EU member states (all except LU, MT)  + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs:  DoEGrids (.us)  GridCanada (.ca)  CERN  ASGCC (.tw)*  IHEP (.cn)* * Migrated to APGridPMA per Oct 5 th, 2005 Slide by courtesy of David Groep (EUGrid PMA chair)

14 The America ’ s Grid PMA Argentina UNLP Brazilian Grid CA CANARIEDOEGrids EELA LA Catch all ESnet/DOE Office Science FNAL Mexico UNAM NCSA Classic SLCS Purdue Univ. TeraGrid REUNA Chilearn CA TACC Root Classic SLCSVenezuela Univ. of Virginia USHER Dartmouth HEBCA EELAOSGSDSCSLCSTeraGridTHEGrid 14 CAs, 7 Relying Parties CA RP

15 Asia Pacific Grid PMA General Policy Management Authority in Asia Pacific Not specific for ApGrid, Not specific for PRAGMA … Launched on June 1 st, 2004 Defines minimum CA requirements APGrid PMA approved that we accept two levels of CA: Experimental-level CA Alternative of the Globus CA Can be trusted within A-P communities Production-level CA Strict management is necessary Expected to be trusted by international communities Two memberships 13 Ex officio membership 4 General membership

16 Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) KISTI (Korea) NAREGI (Japan) Will be in operation NCHC (Taiwan) 2 CA under review NECTEC (Thailand) NGO (Singapore) 1 CA will be ready for review soon PRAGMA (USA)Planning ThaiGrid (Thailand) General membership Osaka U. (Japan) U. of Hong Kong (China) U. of Hyderabad (India) U. of Sains Malaysia (Malaysia)

17 History of IGTF activities Continuous discussions between AP, EU, and TAG PMA for International Grid Trust Federation. GGF12 and EUGrid PMA meeting@Brussels, September 2004 GGF13@Seoul, March 2005 EUGridPMA meeting@Tallinn, May 2005 GGF14@Chicago, June 2005 GGF15@Boston, Oct. 2005 IGTF was officially launched APGrid PMA F2F meeting@Beijing, Dec. 2005 GGF16@Athens, Feb. 2006 TAGPMA meeting@Rio, March 2006 GGF17@Tokyo, May 2006 EUGridPMA meeting@Budapest May 2006 TAGPMA@Ottawa, July 2006 GGF18@DC, September 2006 EUGridPMA meeting@Karlsure, September 2006 APGridPMA meeting@Osaka, October 2006

18 Timeline March 2005: IGTF Draft Federation Document GGF13 July 27 th : APGridPMA approved version 0.7 September 28 th : EUGridPMA approval version 0.9 October 5 th : TAGPMA approved version 1.0 October 5 th : formal foundation of the IGTF Slide by courtesy of David Groep (EUGrid PMA chair)

19 Agenda IGTF Logo and style –Tony Genovese, LBNL/ESnet Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) Authentication Profiles –Member Integrated Credential Services AP (Tony) (10”) –Classic AP Updates (David) (10”) –Root Certificate AP (Yoshio) (5”) Profile change process (Yoshio) (5”) Business issues (Yoshio) (5”) –Review of the mailing list –Distribution frequency AOB

20 Scope of the APGrid PMA Manage the PMA membership Define charter and minimum CA requirements Publish related documents Maintain and revise the documents Accredit authorities with respect to the minimum CA requirements Coordinate auditing and re-certification of accredited authorities Monitor member CA signing namespaces Operate a secure collection point for information about accredited CAs Be primarily concerned with Grid communities in Asia Pacific, and their external partners

21 APGrid PMA membership General membership Osaka U., U. HongKong, U. Hyderabad, USM No voting rights, no obligation Ex officio membership AIST, APAC, ASGCC, CNIC/SDG, IHEP KEK, KISTI, NAREGI, NCHC, NECTEC NGO, SDSC, Thai Grid Voting right, and obligation to vote

22 APGrid PMA responsibilities CP/CPS Responsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific. Other documents Charter Minimum CA requirements Authentication Profiles

23 APGrid PMA responsibilities (cont ’ d) Accreditation Procedures 1. 1.A prospective authority requests the PMA to be approved as a production-level CA. 2. 2.The prospective authority sends the CP/CPS and the other related documents to the PMA 3. 3.The chair will ask two PMA members to review the CP/CPS in details. All the other PMA members must review the CP/CPS as well. 4. 4.If the first version has obvious inconsistencies, the chair may defer appointing the referees until the appropriate changes have been implemented. 5. 5.After sufficient iteration the CP/CPS is considered ready for presentation at the meeting. 6. 6.At the meeting, it should be presented in person to the PMA. 7. 7.Based on the comments by the assigned reviewers and the discussion in the meeting, the prospective authority may either be approved immediately by the PMA, or this may be deferred until the recommended changes are implemented.

24 APGrid PMA responsibilities (cont ’ d) Audit APGrid PMA is doing external auditing This is an unique activity, but the other two PMAs are interested in auditing.Operation Every CA must be responsible for its operation. The PMA is NOT an operation unit byt a policy management authority.Obligation All PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.

25 General Architecture of the IGTF Member PMAs are responsible for accrediting authorities The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. Each AP is assigned by the IGTF to a specific member PMA. Classic AP (EUGrid PMA) Short Lived Credential Services (SLCS) AP (TAGPMA) Member Integrated Credential Services (MICS) AP (TAGPMA)

26 General Architecture of the IGTF (cont ’ d) Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs. All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes before the modified AP will come into effect. Example: EUGridPMA proposed to change Classic AP and they approved at the last meeting. APGird PMA will review the proposed new Classic AP at this meeting.

27 General Architecture of the IGTF (cont ’ d) Authorities accredited by a PMA are always subject to the policies and practices of a specific AP as decided by the accrediting PMA. Any changes to the policy and practices of a authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

28 Requirements for accredited authorities Maintain at least one contact mechanism which must allow for un-moderated access to report problems and faults regarding the authority by the relying parties and genral public. This point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-publishing. Must disclose to the accrediting PMA and to the general public its documented policies and practices.

29 Implementation of the federation Each PMA maintains information of all accredited CAs. Root certificate CRL Distribution Point Point of contact Signing policy file Point to the CP/CPS Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distribution No hierarchies. All accredited CAs are included in a flat structure Once you will be accredited by the APGrid PMA, you will be an IGTF- accredited CA IGTF CA distribution is released in every three weeks David Groep will notify all member CAs the plan of the new release to ask reports of any updates. Distribution frequency is flexible. The information is stored in the CVS repository maintained by the EUGrid PMA Yoshio, Mason, and Darcy have accounts on the CVS server If you have modified CA cert, etc., please let me know. IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site. APGrid PMA is planning to mirror the CVS server as wel.

30 Implementation of the federation (cont ’ d) IGTF maintains an ML for announcement IGTF: igtf-general@gridpma.org APGrid PMA: members@apgridpma.org EUGrid PMA: dg-eur-ca@services.cnrs.fr TAGPMA: tagpma-general@tagpma.org IGTF-general@gridpma.org

31 Appendix: Issues to be considered for operating authorities Read authentication profile and minimum CA requirements carefully Design your CA (some of the issues need to be considered) Applicability of issued certificates CA/RA responsibilities Identity validation process of end entities Implementation Structure of CA: online or offline? Structure of RAs network Secure communication of RAs and CA Web repository Archived logs Properties of CA, user, host and service certificates and private keys: Certificate DNs Certificate extensions

32 Appendix: Issues to be considered for operating authorities (cont ’ d) Draft CP/CPS Implement and operate the CA MUST COMPLY with the CP/CPS Auditor is especially interested in How the lifecycle of certificates is kept secure. How a CSR is sent to RA/CA Identity vetting (F2F) How the RA communicate with the CA How the CA signing machine is securely administrated. Hardware Operation CA private key How the issued certificate will be sent to the end entity Are archived logs enough to trace anything if something wrong would happen?

33 Summary You are a member of the APGrid PMA as well as the IGTF You have responsibility for being a member of the APGrid PMA and the IGTF Your CA must appropriately be operated and comply with the CP/CPS PMA was developed based on grass-root approach, but it has become globally- recognized organization. Your contribution is necessary for further development of PMA and IGTF.

Download ppt "2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN."

Similar presentations

National Institute of Advanced Industrial Science and Technology Asia Pacific Grid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center,

National Institute of Advanced Industrial Science and Technology Asia Pacific Grid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center,
Resource/data WG Summary Yoshio Tanaka Mason Katz.

Resource/data WG Summary Yoshio Tanaka Mason Katz.
2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09:00 - 17:20 # Participants: 26.

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09: :20 # Participants: 26.
Updates of the APGrid PMA Catania March 3, 2009 Yoshio Tanaka APGridPMA Chair, AIST, Japan.

Updates of the APGrid PMA Catania March 3, 2009 Yoshio Tanaka APGridPMA Chair, AIST, Japan.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.

Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.
National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.

National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
National Institute of Advanced Industrial Science and Technology Status and plans of the APGrid PMA Yoshio Tanaka Grid Technology.

National Institute of Advanced Industrial Science and Technology Status and plans of the APGrid PMA Yoshio Tanaka Grid Technology.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
Updates of APGrid PMA 22 June, 2010. Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI.

Updates of APGrid PMA 22 June, Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Similar presentations

Ads by Google