Policy Management for Grid Authorization David Kelsey APGrid

  • Slides: 7
Download presentation
Policy Management for Grid Authorization David Kelsey APGrid. PMA, Taipei 8 Mar 2010

Policy Management for Grid Authorization David Kelsey APGrid. PMA, Taipei 8 Mar 2010

Some background • Auth. Z is as (more? ) important than Auth. N –

Some background • Auth. Z is as (more? ) important than Auth. N – Gives access to resources • In world of federations, Auth. Z and Identity attributes are rather similar • Some Grid VOs are global – Difficult for one Grid to set the standards • EGEE/WLCG Joint Security Policy Group has said for some time – We need minimum requirements for running VOMS servers 8 Mar 10 Auth. Z, APGrid. PMA, Kelsey 2

Mandate • EUGrid. PMA Working Group on Policy Management for Grid Authorisation – Mandate

Mandate • EUGrid. PMA Working Group on Policy Management for Grid Authorisation – Mandate and aims • To prepare recommendations on policy and global trust issues related to Grid Authorisation (Auth. Z) • The initial list of issues to include: – Minimum requirements and best practice for the operation of a Grid Auth. Z attribute authority 8 Mar 10 Auth. Z, APGrid. PMA, Kelsey 3

Progress to date • A working group was set up • It met a

Progress to date • A working group was set up • It met a few times – produced a rough draft Attribute Authority profile • Similar in structure to the IGTF Auth. N profiles • See https: //grid. ie/eugridpma/wiki/AA_Profile • But little progress during the last year • Would now be useful to try to establish best practice as we move into the EGI era 8 Mar 10 Auth. Z, APGrid. PMA, Kelsey 4

Discussion at EUGrid. PMA (Dublin, Jan 2010) • Reviewed some of the issues –

Discussion at EUGrid. PMA (Dublin, Jan 2010) • Reviewed some of the issues – The AA signing key (AA = “Attribute Authority”) • Length and protection • Use separate key rather than host cert key? – – – 8 Mar 10 Revocation of assertions? Lifetime of assertions Attribute Practice Statement (APS) AA service provider naming Accreditation procedures Auth. Z, APGrid. PMA, Kelsey 5

Conclusions in Dublin • A new (more limited) scope was agreed • Maintain technical

Conclusions in Dublin • A new (more limited) scope was agreed • Maintain technical focus on VOMS – But concentrate on cases where the signature on the assertion is used in Auth. Z validation • Drop the idea of formal accreditation • Produce Auth. Z guidelines – Against which AAs can test/assert their own compliance • Need to decide how an IGTF CA can issue an “AA issuing certificate” 8 Mar 10 Auth. Z, APGrid. PMA, Kelsey 6

Questions? • Volunteers welcome to join the Auth. Z working group – let me

Questions? • Volunteers welcome to join the Auth. Z working group – let me know 8 Mar 10 Auth. Z, APGrid. PMA, Kelsey 7

Updates of the APGrid PMA Yoshio Tanaka APGridUpdates of the APGrid PMA Yoshio Tanaka APGrid
Grid PP Security Background David Crooks David KelseyGrid PP Security Background David Crooks David Kelsey
Grid Authentication and Authorization Grid Middleware 2 DavidGrid Authentication and Authorization Grid Middleware 2 David
Grid Security Policy David Kelsey RAL 1 JulyGrid Security Policy David Kelsey RAL 1 July
Policy Issues David Kelsey Grid PP Deployment BoardPolicy Issues David Kelsey Grid PP Deployment Board
By Kelsey I Eudine Cody Kelsey G BryceBy Kelsey I Eudine Cody Kelsey G Bryce