1. NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET

2. Contents ● The technology ● NREN support for Grids ● Lessons learned

3. PKI-COORD ● not a real success for PKI – never achieved the PMA stage – root CA not acceptable, bridges too complicated – issuing user certificates is hard – no “killer application” ● concluded with “PKI is dead (again)” – at least for user authentication

4. Grid PKI ● running PKI demanded by Grid software ● initially a “small” community ● a concrete goal to run a Grid project – many CAs operated by national grid projects

5. Grid PKI characteristics ● Globus Toolkit 2.x (OpenSSL based) ● Entities identified by certificate Subject ● Dynamic hierarchies not supported – (no dynamic CRL download) ● Only a part of certificate content used ● Specific CN syntax + semantics (CN=ldap/ldap.host.domain)

6. EUGridPMA ● started as EU DataGrid CA group in 2001 ● coordination of Grid PKI ● currently almost 40 CAs issuing end entity certificates from 3 continents – 4 of them provided by NRENs ● CESNET, SWITCH, DFN, NIIF, (SURFnet coming soon)

7. EUGridPMA architecture ● List of trusted CAs (no root, no bridges...) ● One CA per country, region, or international organization ● Namespace assignment for each CA ● Part of IGTF (International Grid Trust Federation) ● TACAR as trusted repository ● Maintainer of the Classic PKI Authentication Profile (aka “minimum requirements”)

8. Classic PKI Authentication Profile ● CP, CPS ● Identity verification rules ● Operation (incl. certificate profile) ● Site security ● Requirements on repositories ● Audits ● Privacy and confidentiality ● Compromise and disaster recovery

9. EUGridPMA accreditation ● Accreditation Procedures ● CP/CPS review ● Self-auditing, peer auditing ● Personal presence at EUGridPMA meetings

10. New items ● OCSP – support for dynamic CA hierarchies ● Unification of CPs – OIDs for Authentication Profiles – One Statement Policies ● more information for RP

11. Grid CA operated by NREN ● need to follow Grid PKI requirements – some of them apply to other OpenSSL-based applications anyway ● possibility to influence Grid PKI ● requirements of “really relying” relying parties ● sharing experience among CAs => PKI testbed driven by users

12. Grid CA operated by NREN - benefits ● possibility for one PKI for both Grids and non-Grid applications ● ID management run by dedicated body

13. Beyond the classic PKI ● Short-lived certificates issued by SICS (site integrated certificate services) ● NRENs building AAI same goal – same infrastructure?

14. Lessons learned ● PKI is too complicated to succeed without demanding users ● PKI is too complicated to be run by non- dedicated bodies ● both Grid and non-Grid users can benefit from using common PKI

15. Lessons learned? ● AAI is too complicated to succeed without demanding users ● AAI is too complicated to be run by non- dedicated bodies ● both Grid and non-Grid users can benefit from using common AAI

16. References ● EUGridPMA http://eugridpma.org/ ● IGTF http://www.gridpma.org/