Summary from CA coordination and Security working group meeting PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Summary from CA coordination and Security working group meeting


1
Summary from CA coordination and Security working
group meeting
  • WP4 workshop 2001.06.07
  • davidg_at_nikhef.nl

2
Security related meetings summary
  • Certification Authorities coordination
  • Organizationally a working group of WP6
  • Coordinates efforts for certification in various
    counties
  • Gives guidance to new CAs now setting up
  • Sets minimum standards for trustworthy CAs
  • DataGrid Security coordination meeting
  • Interested individuals concerned with security in
    the DataGrid at large
  • Forum for security architecture discussions
  • Coordination of security efforts within the WPs

3
Certification Authorities
  • Currently 8 Certification Authorities
  • CERN (Pietro Martucci)
  • INFN (Roberto Cecchini)
  • DutchGrid/NIKHEF (David Groep)
  • UKHEP (Andrew Sansum)
  • CNRS datagrid-fr (Jean-Luc Archimbaud)
  • LIP (Jorge Gomes)
  • CESnet (Milan Sova and Daniel Kouril)
  • Spain is preparing, Russia will start preparing

4
Certification minimal requirements
  • Minimal requirements for certification
    authorities defined
  • Non-networked machine
  • Documented Certification Policy and Practice
    Statement (CP/CPS)
  • Traceability of CPS in effect at time of signing
    (using OIDs)
  • CRL issuing required, lifetime between 7 and 30
    days
  • Relying parties should retrieve CRL preferably
    every day
  • There will be no on-site auditing, we will
    crosscheck each others CP/CPS
  • Entities should generate own key pairs (CA must
    not know!)
  • Activity on recommending best-practice Grid
    CP/CPS in GGF(DataGrid has no manpower to get
    heavily involved)
  • Drafted a list of recommended cert extensions

5
Certification Authorities in a Fabric
  • None of the national CAs is prepared to issue
    host certificatesto all hosts in a farm
  • OK to apply for gatekeeper certs for LSF masters
    and such
  • OK also for test bed 1 hosts with fork job
    manager
  • WP4 has already a possible solution FLIDS
  • Automatic CRL retrieval, use the GetCerts package
    from cron soon to be included in WP6
    distribution, now from DutchGrid CA
    sitehttp//certificate.nikhef.nl/

6
Certification Authorities, Administrative
  • A ca-coordination mailing is being set up by Dave
    Kelsey
  • List can be used for incident reporting
  • See also http//marianne.in2p3.fr/datagrid/ca/ca.h
    tml
  • Detailed notes to be found from
    http//www.nikhef.nl/davidg/grid/

7
DataGrid Security working group
8
DG Security-wg aims
  • Identify security requirements and deliverables
    witin the WPs
  • Implications of security on the DataGrid
    architecture (urgent)
  • Identify lacking resources
  • Self-organisation
  • Extensive discussions planned for Lecce with
    Steve Tuecke

9
Security per Work Package (1)
  • WP1
  • Will be managing the users identities
  • Jobs will probably run with the identity of the
    original user
  • The applications dont care, as long as
  • Roles can be assigned to users and
  • Quota can be associated with roles
  • A user can have multiple roles (in different
    sessions), but only one cert
  • WP2
  • Same issue with ownership of replicated files.
    Not resolved yet.

10
Security per Work Package (2)
  • WP3
  • Will start using MDS-2 in PM9
  • Will have added GSI security, but does not use
    LDAP access rights
  • No sub tree or element access control, just grid
    mapfile
  • Only just started thinking about security issues
    for gtPM9
  • WP4
  • Presented use case of job submission, GjMS, LCAS,
    LCMAPS FLIDS
  • For grid info services use WP3 framework
  • GridGate should be relabelled NAT box
  • No security comments on install-a-fresh-box use
    case

11
Security per Work Package (3)
  • WP5
  • Will store files by uid/gid
  • Will need a grid mapfile
  • May be different form the one used by
    ComputeElement
  • YAGM Yet Another Grid Mapfile
  • WP7
  • Interesting they have three security
    deliverables and some committed manpower (PPARC
    18 pm/3y, CERN 12 pm/3y, INFN CNRS also)
  • No-one in WP7 cares about security at large
  • Only competent in network-layer security, so work
    might be done under ATF umbrella, formally
    staying in WP7
  • Once and for all VPNs are a bad thing. The
    effort for the VPN test bed is going into a
    document to prove VPNs are useless
  • DoS attacks will be the real issue in network
    security

12
Security per Work Package (4)
  • WP8,10 (applications)
  • Want less fuss with national CAs (150 counties
    in LHC!) sorry!
  • Want single signon one identity and multiple
    roles (1 role per session)
  • Autorization by VO, VO decides on quota and
    groups
  • Requirement common to all applications justify a
    common solution (CAS)
  • Applications want to keep local site in control,
    but
  • Local sites should publish their policies
    (abstracted) to show they are complying with the
    agreed MoUs
  • Want a good USERS GUIDE
  • WP10 has a lot of sensitive data, encryption
    preferred on application level
  • anonymous ftp like areas, but restricted to
    any biologist

13
Policy language
  • Obvious candidate is the work of the IRTF AAAARCH
    group
  • Generic policy language currently an IRTF draft
  • http//iridal.phys.uu.nl/aaaarch/doc08/
  • Or http//www.aaaarch.org/

14
Interaction between CE and SE
  • Details ATF (Germán)
  • Some consensus seems to be
  • Use GridFTP for for remote and local access to a
    SE
  • Applications are prepared to refrain from local
    file system access (not use open(2))
  • Except for some scratch storage like /tmp
  • Legacy applications should pre-declare their
    files
  • To prevent rouge applications, the binaries may
    be signed
  • The receiving end should verify the signature
  • Users can make no assumptions about a local
    identity anywhere (gsi-ssh)

15
Firewall issues
  • Current state on port numbers used is unclear
  • Especially for return ports and user dynamic
    ports
  • Nice to have all future access use predefined
    static ports,
  • Providing secure gateways into the local fabric
  • Like the WP4 proposal
  • To be able to selective block malicious access

16
User mapping management for PM9
  • INFN LDAP directory of users and
    groupsgenerates a gridmapfile
  • URL not yet defined
  • Manchester gridmapdir patch
  • http//www.hep.grid.ac.uk/gridmapdir/
  • Possibly included in new Globus release by
    default
  • Uid issues most systems do 4 billion uids, but
    Linux 2.2.x only 64K?

17
Future of the security working group
  • Dave Kelsey will propose a somewhat more formal
    body to the PTB
  • Should be driven by 3 named persons, to come from
    the three sites with committed effort (PPARC,
    INFN, CNRS)
  • Lot of others should review documents and/or
    write a few pages for the architecture
  • Framework for architecture given by DaveK
  • Requirements by September/October
  • Final Security architecture deliverable is in
    PM12
  • Detailed notes at http//www.nikhef.nl/davidg/gri
    d/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Summary from CA coordination and Security working group meeting" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!