DataGrid WP6CA CA Trust Matrices

1
DataGrid WP6/CACA Trust Matrices

• Trinity College Dublin (TCD)
• Brian Coghlan

Edinburgh JUL-2002
2
EU DataGrid Project

• Industrial Partners
• Datamat (Italy)
• IBM-UK (UK)
• CS-SI (France)

• Research and Academic Institutes
• CESNET (Czech Republic)
• Commissariat à l'énergie atomique (CEA) France
• Computer and Automation Research Institute, 
  Hungarian Academy of Sciences (MTA SZTAKI)
• Consiglio Nazionale delle Ricerche (Italy)
• Helsinki Institute of Physics Finland
• Institut de Fisica d'Altes Energies (IFAE) -
  Spain
• Istituto Trentino di Cultura (IRST) Italy
• Konrad-Zuse-Zentrum für Informationstechnik
  Berlin - Germany
• Royal Netherlands Meteorological Institute (KNMI)
• Ruprecht-Karls-Universität Heidelberg - Germany
• Stichting Academisch Rekencentrum Amsterdam
  (SARA) Netherlands
• Swedish Research Council - Sweden

3
EU CrossGrid Project

• 21 Partners
• led by Cyfronet (Poland)
• 11 Countries
• Poland
• Netherlands
• Germany
• Spain
• Italy
• Portugal
• Greece
• Austria
• Slovakia
• Cyprus
• Ireland

4
DataGrid security

• No single work package (security is everywhere!)
• 3 sub-groups Authentication, Authorisation,
  Co-ordination
• Chaired by Dave Kelsey, RAL
• Now based on Globus GSI
• authentication using PKI (X.509 certificates)
• authorization via DataGrid tools
• Trying not to mix Authentication and
  Authorisation
• Documents
• Security Requirements and first implementation
  (D7.5)
• Security Design and 2nd implementation (Jan 2003)

5
DataGrid authentication

• Grids involve N-way contexts
• Thus each party is worried about all the others
• Back at the CA, each CA wants to evaluate the
  other CA
• EITHER that they meet the CAs minimum standard
• OR that they meet an agreed common standard
• EDG focus is on common standard
• This results in a Trust Matrix

6
DataGrid authentication

• involves cross-domain authentication between Grid
  projects
• now 13 approved National Certificate Authorities
• includes Registration Authorities check
  identity
• CNRS (France) acts as catch-all CA with RA
  mechanism to suit
• USA (DOE) is a member of the CA group and trust
  matrix
• CrossGrid CAs are currently joining CA group and
  trust matrix

7
Matrix of Trust
8
Matrix of trust

• How to establish the trust ?
• CA Mgrs check each other against agreed list of
  minimum requirements
• currently require inspection of each CAs CPS by
  each other CA
• software being developed to aid this process
• CP/CPS important
• audit of CA procedures will help
• none done yet
• use 3rd party ?
• GGF GridCP and CA-Operations WGs considered
  important

9
Matrix of trust

• Scaling problems
• how many CAs can we cope with soon 20 ?
• the process is very manual
• personal contacts are fundamental
• WANT TO MAKE EVALUATION MORE AUTOMATIC
• software being developed to aid this process
• based on evaluation of the CA Feature Matrix

10
DataGrid CA Feature Matrix
11
Basic Concepts

• Issues
• postulate (condition) ? (issue)
• e.g. (BasicConstraints_value ne CA) ? (major
  issue)
• Grading
• i.e. assign an issue a weight
• Constraint
• issues of a certain class should be constrained
  to that class
• e.g. many minor issues do not make a major issue
• Aggregation
• aggregate graded issues in a measure of
  severity
• e.g. (severity _at_ major) ?(graded major
  issues)?limit1.0

12
Currently JUL-2002

• per class (severity _at_ class) ?(graded class
  issues)?limit1.0
• max_severity (severity) for most critical class
  with issues
• postulate acceptance_level Tacceptance
  (max_severity)
• where Tacceptance (worst-case max_severity)
• e.g, assume Tacceptance 3.0
• therefore max_severity 0.0 .. 3.0
• and acceptance_level 3.0 .. 0.0
• This is the WORKING BASIS for manual evaluation

13
Auto-evaluation

• move to extract issues automatically
• from what ?
• initially from Feature Matrix
• later from CA certs CRLs ?

14
Extraction from Feature Matrix

• since (condition) ? (graded issue)
• then must define condition per feature ? rules
• e.g. (name eq NIL) ? (graded issue)
• thus if (name eq NIL) (graded issue)
  (coefficient _at_ class)
• per class (severity) ?(graded
  issues)?limit1.0
• EDG can define its common rule set
• each CA could define its own overrides to the
  rule set
• ultimately each VO could define its own rule set

15
Acceptance/Feature Matrices
THE END