Upload
yardley
View
37
Download
0
Embed Size (px)
DESCRIPTION
Establishing Identity in EGI. the authentication trust fabric of the IGTF and EUGridPMA. David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2. Roles of authentication. - PowerPoint PPT Presentation
Citation preview
www.egi.euEGI-InSPIRE RI-261323
EGI
www.egi.euEGI-InSPIRE RI-261323
Establishing Identity in EGI
the authentication trust fabric of the IGTF and EUGridPMA
David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15This work is supported by EGI-InSPIRE under NA2
www.egi.euEGI-InSPIRE RI-261323
Roles of authentication
EUGridPMA and IGTF – international grid trust federation –
are about authentication, i.e. establishing identity.
Why do you need to establish identity?•Access control to resources and services•Incident management and auditing•Accounting, auditing, &c…
Here we focus on authenticating individuals•natural persons, hosts, services, software agents
2010-11-25 Establishing identity in EGI 2
www.egi.euEGI-InSPIRE RI-261323
Access Control Points
2010-11-25 Establishing identity in EGI 3
Authentication• each person globally unique name• only identification• persons may have more than ID
Authorization• based on the unique AuthN ID• grants or denies access• several control points - VO must be member of community only work within common AUP - site has list of VOs + ban list
www.egi.euEGI-InSPIRE RI-261323
Coordinating identity: the trust fabric
• Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination– these guidelines constitute a (technical) policy– the group responsible for setting and verifying these is thus
a Policy Management Authority (‘PMA’)
• needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid, ...)– user communities span multiple infrastructures– so the coordination needs to be global as well
2010-11-25 Establishing identity in EGI 4
www.egi.euEGI-InSPIRE RI-261323
The EUGridPMA
The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body
•to establish requirements and best practices for grid identity providers
•to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources.
The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines.
2010-11-25 Establishing identity in EGI 5
https://www.eugridpma.org/
www.egi.euEGI-InSPIRE RI-261323
EUGridPMA organisation
• Established April 1st 2004 by founding members– national identity authorities from the EU DataGrid and
CrossGrid CA Coordination Group– EGEE, DEISA, SEE-GRID, TERENA as relying parties
• Today 46 members– 5 cross-national relying parties
(EGI,DEISA,OSG,TERENA,wLCG)
– 41 identity authorities (“CAs”)
2010-11-25 Establishing identity in EGI 6
https://www.eugridpma.org/members/
www.egi.euEGI-InSPIRE RI-261323
EUGridPMA Activities
• Establishing Authentication Guidelines– technical policies defining minimum requirements that authorities
must meet or exceed
– matches the level of assurance (LoA) needed for the authorization decisions by the relying parties (resource centres, data owners, ...)
• Reviewing compliance of new authorities with respect to these guidelines
• Periodic peer-reviewed re-assessments
• Provide technical source of ‘trust anchors’ for accredited authorities– categorised by LoA, verification via TERENA TACAR
2010-11-25 Establishing identity in EGI 7
https://www.eugridpma.org/guidelines/
www.egi.euEGI-InSPIRE RI-261323
Global coordination
• International Grid Trust Federation – IGTF
• Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA
• Strongly coordinated: accrediting to common standards
2010-11-25 Establishing identity in EGI 8
http://www.igtf.net/
www.egi.euEGI-InSPIRE RI-261323
Implementing the Acceptable CAs
• EGI policy on Approved Authoritiesall IGTF Authorities compliant with defined assurance level
• Grid participants in EGI are supposed to install all approved trust anchors– in as far as allowed by site, organisational, national policies
– site, organisational, national policy takes precedence
– report deviations to the EGI Security Officeras per the general Grid Security Policy
• Grid participants may install other trust anchors– e.g. authorities for site or national training purposes
– local authorities or local translators (e.g. SARoNGS)
2010-11-25 Establishing identity in EGI 9
https://documents.egi.eu/document/83
www.egi.euEGI-InSPIRE RI-261323
EGI ‘CA distribution’
• EGI policy supported by technical infrastructure:the ‘ca-policy-egi-core’ package
– provided as a convenience service for sites/NGIs– originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’– collection of trust anchor certificate files & metadata– a re-distribution of the IGTF trust anchors– packaged as RedHat Package Manager (RPM)– provided, for as long as needed by the NGIs,
via support (0.05FTE) by EGI-InSPIRE under SA1– but several sites and NGIs already build their own...
2010-11-25 Establishing identity in EGI 10
www.egi.euEGI-InSPIRE RI-261323
• Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today
– when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations
– breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences
• Effect of sub-setting trust anchors may not be what you would expect, due to
– jointness policy requirements for multi-grid affiliates
– constituencies & scopes of identity providers in the IGTF and underlying academic federations
Trust & AuthN implications
1104/22/23 Establishing identity in EGI
www.egi.euEGI-InSPIRE RI-261323
• Authentication– basis for granting and denying access by VOs and resource centres– does not grant any access rights in or by itself– allows incident response & auditing of ‘undesired access attempts’
• EUGridPMA and IGTF provide – a global authentication trust fabric across infrastructures, – according to scoped technical security policies,– based on many autonomous authentication authorities
• Standing EGI security policies leverage the IGTF– acknowledges site and national policy primacy– and sub-setting the endorsed set unlikely to have the expected effect
Summary
1204/22/23 Establishing identity in EGI
www.egi.euEGI-InSPIRE RI-261323
EGI
www.egi.euEGI-InSPIRE RI-261323
Discussion
04/22/23 13
Establishing identity in EGI