EUGrid PMA and the eIRG security roadmap towards

EUGrid. PMA and the e-IRG security roadmap towards interoperable policies in identity management GGF 16 Production Grids Enterprise and Research Workshop David L. Groep, EUGrid. PMA, 2006 -02 -15

Outline · A few words on the Grid Security Model Towards inter-working identity management · Policies for Authentication Federation · EUGrid. PMA · IGTF · e-IRG roadmap · Towards integrated Authentication and Authorization David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 2

Essentials on Grid Security · Access to shared services · cross-domain authentication, authorization, accounting, billing · common generic protocols for collective services · Support multi-user collaboration · may contain individuals acting alone – their home organization administration need not necessarily know about all activities · organized in ‘Virtual Organisations’ · Enable ‘easy’ single sign-on for the user · the best security is hidden from the user as much as possible David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 3

Virtual vs. Organic structure · Virtual communities (“virtual organisations”) are many · An individual will typically be part of many communities Virtual Community C · but will require single sign-on across all these communities File server F 1 (disk A) Person B (Administrator) Compute Server C 1' Person A (Principal Investigator) Person D (Researcher) Person B (Staff) Compute Server C 2 Person E (Researcher) Compute Server C 1 Person A (Faculty) Person C (Student) Organization A Person D File server F 1 (Staff) (disks A and B) Person E (Faculty) Person F (Faculty) Compute Server C 3 Organization B Graphic: GGF OGSA Working Group David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 4

Stakeholders in Grid Security Current grid security is largely user centric · different roles for the same person in the organic unit and in the VO · There is no a priori trust relationship between members or member organisations · Virtual Organisation lifetime can vary from hours to decades · VO not necessarily persistent (both long- and shortlived) · people and resources are members of many VOs · … but a relationship is required · as a basis for authorising access David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 5 · for traceability and liability, incident handling, and

Separating Authentication and Authorization · Single Authentication token (“passport”) · · issued by a party trusted by all (“CA”), recognised by many resource providers, users, and VOs satisfy traceability and persistency requirement in itself does not grant any access, but provides a unique binding between an identifier and the subject · Per-VO Authorisations (“visa”) · granted to a person/service via a virtual organisation · based on the ‘passport’ name · acknowledged by the resource owners · providers can obtain lists of authorised users per VO, but can still ban individual users David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 6

Authentication … academia, industry, and … Possible sources of authentication and identity · National PKI · in general uptake of 1999/93/EC and e-Identification is slow · where available, a national PKI can be leveraged · Several commercial providers · main commercial drive today: secure e-commerce based on SSL · thus primary market is server authentication, not end-user identities · are implicitly trusted by many · because web browsers pre-install the roots of trust · Web. Trust “seal of approval” scope limited to a single Authority · Academic Grid PKI today · Provide end-user identities for secure mail and grid use · generally provided by the NREN or national e-science project David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 7

A Federation Model for Grid Authentication CA 1 CA 2 charter CA n CA 3 guidelines acceptance process relying party n relying party 1 · A Federation of many independent CAs · Policy coordination based on common minimum requirements (not ‘policy harmonisation’) · Acceptable for major relying parties in Grid Infrastructures · No strict hierarchy with a single top · spread liability and enable failure containment (better resilience) · maximum leverage of national. GGF 16 efforts and subsidiarity David Groep – davidg@eugridpma. org Workshop on Production Grids– Feb 2006 - 8

Building the federation · Providers and Relying Parties together shape the common minimum requirements · Several profiles for different identity management models · different technologies · Authorities testify to compliance with profile guidelines · Peer-review process within the federation to (re) evaluate members on entry & periodically · Reduce effort on the relying parties · single document to review and assess for all Authorities · collective acceptance of all accredited authorities · Reduce cost on the authorities · but participation in the federation comes with a price · … the ultimate decision always remains with the David GGF 16 Workshop on Production Grids– Feb 2006 - 9 RP Groep – davidg@eugridpma. org

EUGrid. PMA: the Federation in Europe EUGrid. PMA founded April 2004, as a successor to the CACG The European Policy Management Authority for Grid Authentication in e-Science (EUGrid. PMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGrid. PMA • coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGrid. PMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 10 relevant guidelines.

EUGrid. PMA Membership EUGrid. PMA membership for Authorities · a single Authority per · country, large region or international treaty organization · ‘serve the largest possible community with a small number of stable CAs’ · ‘operated as a long-term commitment’ Relying Parties: major e-Infrastructures or partner organisations · DEISA, EGEE, SEE-GRID, TERENA, … David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 11

Coverage of the EUGrid. PMA Green: Countries with an accredited CA · The EU member states (except LU, MT) · + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs: · · · Do. EGrids (. us) Grid. Canada (. ca) CERN ASGCC (. tw)* IHEP (. cn)* * Migrated to APGrid. PMA per Oct 5 th, 2005 David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 12

History Growth of the EDG CACG and EUGrid. PMA David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 13

Five years of growth December 2000: First CA coordination meeting for the FP 5 Data. Grid project March 2003: Tokyo Accord (GGF 7) April 2004: Foundation of the EUGrid. PMA June 2004: Foundation of the APGrid. PMA June 2005: Foundation of TAGPMA (GGF 14) 5 October 2005: … Establishment of the International Grid Trust Federation IGTF David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 14

2005: Extending Trust – the International Grid Trust Federation · common, global best practices for trust establishment · better manageability of the PMAs APGrid. PMA TAGPMA The Americas Grid PMA David Groep – davidg@eugridpma. org European Grid PMA Asia Pacific Grid PMA GGF 16 Workshop on Production Grids– Feb 2006 - 15

APGrid. PMA · 13 members from the Asia-Pacific Region, • AIST (. jp) • NPACI (. us) See subsequent presentation • APAC (. au) • Osaka U. (. jp) by • BMG (. sg)Yoshio Tanaka • SDG (. cn) • CMSD (. in) • USM (. my) and • HKU APGrid. PMA CS SRG (. hk) • IHEPAIST Beijing (. cn) • KISTI (. kr) • ASGCC (. tw) • NCHC (. tw) · Launched June 1 st, 2004, chaired by Yoshio Tanaka · Minimum Requirements taken from EUGrid. PMA · First face-to-face meeting on Nov 29 th, 2005 · David Today ‘production-quality’ authorities in Feb 2006 - 16 Groep – 6 davidg@eugridpma. org GGF 16 Workshop on Production Grids–

TAGPMA · To cover all of the Americas · 8 members to date • SDSC (. us) • Canarie (. ca) • FNAL (. us) • See OSG (. us) subsequent presentation • Dartmouth (. us) • TERAGRID (. us) Darcy • Texas H. E. Grid (. us) Quesnel Brazil (pending) • DOEGrids (. us) TAGPMA and • CANARIE by · Launched June 28 th, 2005 chaired by Darcy Quesnel, CANARIE David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 17

IGTF Federation Common Policy IGTF Federation Document APGrid. PMA • CA A 1 • … EUGrid. PMA trust relations • CA E 1 • CA E 2 TAGPMA • … Subject Namespace Assignment • CA T 1 • … Common Authentication Profiles Classic (EUGrid. PMA) SLCS (TAGPMA) Distribution Naming Conventions worldwide relying parties see a uniform IGTF “mesh” David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 18

e-Infrastructure Reflection Group e-IRG (www. e-irg. org) · Recommends best practices for European grid efforts · Policy coordination for the European Research Area · Resource sharing policies · Registry of resources (economy of scale advantages) · Synergies between Europe and other regions · e-Infrastructure Roadmap and FP 7+ · Support and encourage pan-European interoperability GGF 16 Workshop on Production Grids– Feb 2006 - 20 · Such as EUGrid. PMA, TACAR David Groep – davidg@eugridpma. org

Along the e-IRG Roadmap e-Infrastructure Reflection Group White Paper on Authentication and Authorization · commitment to the federated approach · vision of an integrated AA infrastructure for e. Europe Towards an integrated AAI for academia in Europe and beyond · The e-IRG notes the timely operation of the EUGrid. PMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGrid. PMA / TACAR to continue their valuable work […] (Dublin, 2004) · The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005) David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 21

Grid Authorization today Leverages authentication provided by the PKI · Identity management decoupled from access control · Creation of short-lived ‘tokens’ (‘proxy’ certificates) for single sign-on based on these identities Status today · Variety of mechanisms · Variety of sources of authority · Integration and interoperability needs significant effort … David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 22

Convergence initiatives in AAI · from the PMA side · Extending PMA and the IGTF to more countries and regions, · and to more mechanisms and audiences · from TERENA · NRENs-GRID workshop series · TF-EMC 2 / TF-Mobility · REFEDS – Research and Education Federations · broad AAI scope: IGTF, eduroam, A-Select, PAPI, SWITCH-AAI, In. Common, HAKA, FEIDE/Moria · See http: //www. terena. nl/tech/refeds/ · in GGF · … With the current technical and policy momentum, a coordinated AAI is now both timely and within reach! David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 23

EUGrid. PMA – http: //www. eugridpma. org/ IGTF – http: //www. gridpma. org/ e-IRG – http: //www. e-irg. org/ David Groep – davidg@eugridpma. org GGF 16 Workshop on Production Grids– Feb 2006 - 24