Discussions on the Life Ray Portal and credential

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 -

Separation of security functions David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32

EUGrid. PMA discussion · Separation of functions · thin portal: all credential management on

Proliferation · Aim to have a limited number of credential management systems, for potentially

Next steps · Updated design white paper will reflect changes · Prototype will be

Slides: 13

Download presentation

Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 2

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 3

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 4

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 5

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 6

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 7

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 8

Separation of security functions David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 9

David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 10

EUGrid. PMA discussion · Separation of functions · thin portal: all credential management on dedicated box · may combine bridge, My. Proxy and Uploader on 1 box · Quality of Id. M is governed by MICS acceptability · i. e. must be of comparable Lo. A as TCS Personal · including eligibility requirements · Make sure superfluous keypairs are removed · only the proxy is needed, just like in the uploader case · remove MICS keypair when proxy generation completes · Portal security box acts like a UI to the user · only on explicit request of user & under user control · covered under PKP Guidelines – seems similar to the common ‘remote UI’ use case David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 11

Proliferation · Aim to have a limited number of credential management systems, for potentially many portals. But initially one for Italy · Leverage existing MICS CAs as far as possible · no new CA for each portal or portal instance · aim to leverage TERENA TCS e. Science Personal · but policy compatibility should still be understood · acceptability of portal instance comes down to CA, i. e. not revoking the certs · it is the MICS CA policy that must be satisfied · PMA only looks at CAs (not at the portals, please) David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 12

Next steps · Updated design white paper will reflect changes · Prototype will be developed and demonstrated at later date to appropriate PMAs · Roberto C (and TCS PMA ; -) to study compatibility with TCS Personal Should be a significant step towards better usability! David Groep – davidg@eugridpma. org TAGPMA 13 and OGF 32 – Jul 2011 - 13