Summary from CA coordination and
Security working group meeting
WP4 workshop 2001.06.07
[email protected]
Security related meetings summary
?
Certification Authorities coordination
? Organizationally a working group of WP6
? Coordinates efforts for certification in various counties ? Gives guidance to new CA’s now setting up
? Sets minimum standards for trustworthy CA’s
?
DataGrid Security coordination meeting
? Interested individuals concerned with security in the DataGrid at large ? Forum for security architecture discussions
David Groep – CA and DG security wg – 2001.06.07 - 3
Certification Authorities
?
Currently 8 Certification Authorities:
? CERN (Pietro Martucci) ? INFN (Roberto Cecchini)
? DutchGrid/NIKHEF (David Groep) ? UKHEP (Andrew Sansum)
? CNRS datagrid-fr (Jean-Luc Archimbaud) ? LIP (Jorge Gomes)
? CESnet (Milan Sova and Daniel Kouril)
Certification minimal requirements
?
Minimal requirements for certification authorities defined
? Non-networked machine
? Documented Certification Policy and Practice Statement (CP/CPS) ? Traceability of CPS in effect at time of signing (using OID’s)
? CRL issuing required, lifetime between 7 and 30 days ? Relying parties should retrieve CRL preferably every day
? There will be no on-site auditing, we will crosscheck each others CP/CPS ? Entities should generate own key pairs (CA must not know!)
?
Activity on recommending best-practice Grid CP/CPS in GGF
(DataGrid has no manpower to get heavily involved)
David Groep – CA and DG security wg – 2001.06.07 - 5
Certification Authorities in a Fabric
?
None of the national CAs is prepared to issue host certificates
to all hosts in a farm
?
OK to apply for gatekeeper certs for LSF masters and such
?OK also for test bed 1 hosts with fork job manager
?
WP4 has already a possible solution: FLIDS
?
Automatic CRL retrieval, use the GetCerts package from
cron
soon to be included in WP6 distribution, now from DutchGrid CA site
http://certificate.nikhef.nl/
Certification Authorities, Administrative
?
A ca-coordination mailing is being set up by Dave Kelsey
?List can be used for incident reporting
?
See also
http://marianne.in2p3.fr/datagrid/ca/ca.html
?
Detailed notes to be found from
DG Security-wg aims
?
Identify security requirements and deliverables witin the WPs
?Implications of security on the DataGrid architecture (urgent)
?Identify lacking resources
?
Self-organisation
David Groep – CA and DG security wg – 2001.06.07 - 9
Security per Work Package (1)
?
WP1
? Will be managing the user’s identities
? Jobs will probably run with the identity of the original user ? The applications don’t care, as long as:
? Roles can be assigned to users and ? Quota can be associated with roles
? A user can have multiple roles (in different sessions), but only one cert
?
WP2
Security per Work Package (2)
?
WP3
? Will start using MDS-2 in PM9
? Will have added GSI security, but does not use LDAP access rights ? No sub tree or element access control, just grid mapfile
? Only just started thinking about security issues for >PM9
?
WP4
? Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS ? For grid info services use WP3 framework
? “GridGate” should be relabelled “NAT box”
David Groep – CA and DG security wg – 2001.06.07 - 11
Security per Work Package (3)
?
WP5
? Will store files by uid/gid ? Will need a grid mapfile
? May be different form the one used by ComputeElement ? YAGM: Yet Another Grid Mapfile
?
WP7
? Interesting: they have three security deliverables and some committed
manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also)
? No-one in WP7 cares about security at large
? Only competent in network-layer security, so work might be done under
ATF umbrella, formally staying in WP7
? Once and for all: VPNs are a bad thing. The effort for the VPN test bed
is going into a document to prove VPNs are useless
Security per Work Package (4)
? WP8,10 (applications)
? Want less fuss with national CA’s (150 counties in LHC!) sorry!
? Want single signon: one identity and multiple roles (1 role per session) ? Autorization by VO, VO decides on quota and groups
? Requirement common to all applications justify a common solution (CAS)
? Applications want to keep local site in control, but
? Local sites should publish their policies (abstracted) to show they are complying
with the agreed MoUs
? Want a good USERS GUIDE
David Groep – CA and DG security wg – 2001.06.07 - 13
Policy language
?
Obvious candidate is the work of the IRTF AAAARCH group
?Generic policy language currently an IRTF draft
?
http://iridal.phys.uu.nl/~aaaarch/doc08/
?Or http://www.aaaarch.org/
Interaction between CE and SE
?
Details: ATF (Germán)
?
Some consensus seems to be
? Use GridFTP for for remote and local access to a SE
? Applications are prepared to refrain from local file system access
(not use open(2))
? Except for some scratch storage like /tmp
? Legacy applications should pre-declare their files
? To prevent rouge applications, the binaries may be signed ? The receiving end should verify the signature
David Groep – CA and DG security wg – 2001.06.07 - 15
Firewall issues
?
Current state on port numbers used is unclear
?
Especially for return ports and user dynamic ports
?
Nice to have all future access use predefined static ports,
?Providing secure gateways into the local fabric
?
Like the WP4 proposal
User mapping management for PM9
?
INFN: LDAP directory of users and groups
generates a gridmapfile
? URL not yet defined
?
Manchester: gridmapdir patch
? http://www.hep.grid.ac.uk/gridmapdir/
? Possibly included in new Globus release by default
David Groep – CA and DG security wg – 2001.06.07 - 17
Future of the security working group
? Dave Kelsey will propose a somewhat more formal body to the PTB ? Should be driven by 3 named persons, to come from the three sites
with committed effort (PPARC, INFN, CNRS)
? Lot of others should review documents and/or write a few pages for the architecture
? Framework for architecture given by DaveK
? Requirements by September/October
? Final Security architecture deliverable is in PM12
