1. EGEE is a project funded by the European Union under contract IST-2003-508833 Gap Analysis JRA3 12/7/2015 www.eu-egee.org

2. , - 2 Intrusion Architecture (non-complete) Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors Intrusion Audit Site policy Access control Revo- cation Trust anchors process space “sudo”

3. , - 3 Intrusion What we have (UNIX native) Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxyVOMS EDG CRL scripts ??? Audit Site policy Access control Revo- cation Trust anchors LCAS GACL gSoap HTTPG process space “sudo” snort(*) GRAM + LCMAPS (*) Almost there

4. , - 4 Intrusion What we have (hosted) Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxy (client) ??? Audit Site policy Access control Revo- cation Trust anchors CAS EDG AuthZ(*) Axis various SAML(*) XACML(*) (*) Almost there GT, EDG Java process space “sudo” GRAM

5. , - 5 Intrusion What we want (non-complete) Cred store Proxy cert VOMS service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors Policy based authZ ??? Audit Site policy Access control Revo- cation Trust anchors Provisioning

6. , - 6 Configuration issues Many different policy configuration languages…  EDG Java AuthZ, LCAS, GACL, XACML …  No single solution adequate for all scenarios (coarse-grained, fine- grained, combination) We need to combine them!  XACML is best suited to handle policy arbitration, but you don’t want to code in it (ugly)  Sun has a full (and free) java implementation, performance issues? Whatever we use, make sure they all can be mapped into a common form (XACML?)  Allows for rule combinations from different authorities  Local site policy always overrules

7. , - 7 Provisioning (2-year effort) Many CA certs to keep track of, new ones are added CRLs get outdated Much of this stuff is only understood by experts Provision user with this type of configuration at login  Similar ideas elsewhere, should be able to collaborate on this

8. , - 8 Transport SOAP over HTTP (message level security)  Flexible (integrity vs. encryption)  Standard (WS-Security spec)  Enables routing and endpoint trust  Issue: performance penalty in Java (slowdown due to xmlsec.jar)  Issue: replay attacks (dealt with in e.g. GT4) SOAP over HTTPS (transport level security)  We know how to do it  Accepted by WS-I  Issue: TLS needs mods due to proxy certs  Issue: no endpoint trust (trust server, not service) WHAT ARE OUR PERFORMANCE TARGETS? TLS MODS ARE INVASIVE

9. , - 9 Delegation Separate delegation WSDL portType  Orthogonality and zero cost for non-delegation services  Easy transition path from any chosen transport solution  Issue: Non-existing but prototype can quickly be conjured  Issue: Additional complexity in applications and clients for environments w/out operation provider solutions Delegation in HTTPS headers  G-HTTPS (GSI)  SPNEGO over WWW-Authenticate (GSSAPI)

10. , - 10 Delegation (cont.) Delegation coupled with authentication (GSI)  We know how to do it, solutions exist  #1. SOAP over HTTPG  #2 GSI-SecureConversation (SOAP over HTTP)

11. , - 11 Our recommendation Transport #1: SOAP over HTTP and message-level security  Pending performance requirements of course… Transport #2: SOAP over HTTPG  TLS impl needs to be patched anyhow, doesn’t matter if protocol is bent as well Delegation #1: Delegation portType Delegation #2: GSI-based delegation  2.a: GSI-SecureConversation (if T.#1)  2.b: SOAP over HTTPG (if T.#2)

12. , - 12 But that won’t work with my browser… It shouldn’t! Use portal and standard TLS server certificates for end- user interaction

13. , - 13 Software platform: Most leverage in the java world Many free third party products  SAML, XACML, XMLSec, Axis, GT The gaps we need to fill are “our own”  GACL, VOMS, LCAS, … Assuming Axis, we need to integrate with it  Work already underway with AuthZ framework in GT from KTH  EDG Java AuthZ as backup Portability requirement way easier to fulfill  new java.io.File(“/etc/grid-security”).getAbsoluteFile() = C:\etc\grid-security Performance may be an issue

14. , - 14 In the C world… gSOAP  Better performance  No WS-Security  GSI plugin (CERN or Italy) needed for HTTPG Axis C++  Buggy still  Would avoid it at this point Stability issues  A crash means a core dump

15. , - 15 ONE MUST REMEMBER In the end, we should settle on PROTOCOLS and SYNTAX, not on toolkits But, above everything else, it is the available toolkits that controls our choice

16. , - 16 Other requirements Encrypted storage  Higher-level service, on top of existing storage infrastructure  Secure and redundant storage of encryption keys (M-of-N) Anonymity  Hard

17. , - 17 Playing the Blame Game Resource Allocations Committee quota VO V “Members of V may consume my quota” User A ! User B VO member Who to blame? A, B, V ?