International Grid Trust Federation

1
International Grid Trust Federation

• Tony Genovese, ESnet
• David Groep, IGTF Chairman
• Michael Helm, ESnet
• Dhivakaran Muruganantham, ESnet

2
International Grid Trust Federation

• IGTF is the trust glue for Grids.
• The Grid is a distributed computing paradigm and
  middleware that is supporting large scale,
  world-wide scientific research such as the LHC in
  physics.
• IGTF is composed of 3 regional PMAs, each
  supporting a separate zone in the world
  EUGridPMA, TAGPMA, and APGridPMA.
• TAGPMA (The Americas Grid PMA) and Internet2 and
  Educause PKIs need to work together to make sure
  I2/HE PKIs can meet their customers needs for
  Grid interoperability.

3
Grid PKI Software and Limitations

• http//www.globus.org/toolkit/docs/4.0/security/
• However, many Grid environments operate in legacy
  (pre 4.0) mode
• PKI Authentication
• X.509 certificates close to IETF PKIX RFC 3280
• Proxy certificates RFC 3820 short lived
  delegated rights
• Also, numerous legacy (pre-3820) implementations
• Mutual authentication based on TLS model
• Openssl is essential software component
• Authorization many different solutions
• Simple lists and map files (like UNIX account
  services)
• Account management services
• Delegated rights attributes in proxy certificates
• X.509 authorization certificates
• GGF-managed Web Services-based authorization
  services
• Shibboleth-Grid bridging
• And more
• Credential management
• Software tokens
• MyProxy a credential store

4
Why Should Educause Care?

• Policy Support your research and education
  collaborations in large scale science
• Technology Support your technology needs and
  infrastructure
• Higher Education Bridge PKI
• Grids do not support understand mesh or
  network PKIs
• Internet2 Deep Hierarchy
• Grid PKIs are not good at dealing with family
  trees or chains of trusted CA certificates
• Commercial CA/identity provider support
• Technical, policy, and political barriers to
  overcome
• Some progress on this in Europe
• Shibboleth and authorization technology
• Many technology developments underway to bridge

5
Extending TrustIGTF the International Grid
Trust Federation

• Common, global best practices for trust
  establishment
• Better manageability and response of the PMAs

6
International Grid Trust Federation

• The IGTF - WWW.GridPMA.org
• Commissioned Mar 2003 (Tokyo) - - Chartered
  October 5th, 2005 at GGF 16 (Chicago)
• Federation of European, Asian, and Western
  Hemisphere Policy Management Authorities
• Focused on Identity management and authentication
  for Grids
• Regional Authorities
• EU Grid Policy Management Authority
• EGEE Enabling Grids for E-science in Europe
• Asian Pacific Policy Management Authority
• APGrid National Institute of Advanced
  Industrial Science and Technology
• The Americas Grid PMA newly chartered Sep 2005
• Canada and USA (DOE, NSF) Latin American
  organizations soon
• Establishment of top level CA registries and
  related services
• Root CA certificates, CA repositories and CRL
  publishing points.
• EU Grid PMA registry de facto (CNRS French
  National Center for Scientific Research)
• Asian Pacific CA registry (AP PMA)
• TERENA TACAR (TERENA Academic CA Repository)
• Standards
• Certificate policies, Certificate profiles,
  Accreditation
• Global Grid Forum publishes standards and
  community best practices.

7
IGTF (2)

• IGTF Federation
• Namespace specification and allocation
• NB Grids do not use directory-managed naming
• Grid PKI support file Gold distribution
• Provided to middleware packagers such as VDT,
  large scale Grids c
• IGTF Managed Certificate profiles
• Certificate Profiles Subset of certification
  practices describing essential, distinguishing
  characteristics of Grid certificate usage
• Developed by Regional PMA or member organization
• Current profiles
• Classic X.509 CAs
• Development managed by EUGridPMA
  (www.eugridpma.org)
• Influenced by NIST and PKI industry best practice
• Short-Lived Certificate Services
• Development managed by TAGPMA (www.tagpma.org)
• Bridge site authentication services to
  Grid-compatible PKI
• Experimental CA
• Development managed by APGridPMA
  (www.apgridpma.org)
• Profiles that need to be developed
• Bridge based PKI (policy mapping, transitive
  trust)

8

• EU Grid PMA
• Covers Most of Europe
• Non members in White
• Other member CAs
• DoEGrids (US)
• GridCanada
• ASCCG (Taiwan)
• ArmeSFO (Armenia)
• CERN
• Russia (DataGrid)
• Israel (IUCC)
• Pakistan
• IHEP (China)

9
EUGridPMA

• www.eugridpma.org
• Features
• 36 members most from EU, some from closely
  affiliated countrieschaired by David Groep
  (NIKHEF)
• The senior partner
• Classic X.509 Grid profile
• Member organizations/countries
• Canonical list http//www.eugridpma.org/members/i
  ndex.php
• Membership includes many European national and
  regional (eg Nordunet, Baltic Grid) Grid
  projects Canarie (Canada) DOEGrids and FNAL
  (US) significant relying parties such as LHC
  several AP Grid CAs

10

• The Americas Grid PMA Members
• Dartmouth College
• Texas High Energy Grid
• Fermi National Laboratory
• San Diego Supercomputing Center
• TeraGrid
• Open Science Grid
• DOEGrids
• CANARIE

• Latin American New Candidates
• Venezuela ULA
• Cuba CUBAENERGIA
• Chile REUNA(UTFSM, UDEC)
• Peru SENAMHI
• Mexico UNAM
• Argentina UNLP
• Brazil UFF (UFRJ, CNEN, CECIERJ/CEDERJ, RNP)

11
TAGPMA

• The Americas Grid PMA Chartered Sep 2005 Very
  new
• www.tagpma.org
• Features
• 8 members Canarie (CA) and US
• Several Latin American Grid projects to join soon
• Chaired by Darcy Quesnel (CANARIE)
• Short Lived Certificate Server profile
• Member organizations/countries
• Canonical list http//www.tagpma.org/members

• Soon Latin American CAs
• Venezuela
• Cuba
• Chile
• Peru
• Mexico
• Argentina
• Brazil

• Dartmouth College/I2/HEBCA
• TeraGrid
• Texas High Energy Grid
• DOEGrids (US-DOE Labs)
• Fermi Lab (FNAL)
• San Diego Supercomputer Ctr
• Open Science Grid (OSG)
• CANARIE (Grid Canada)

12

• Asian Pacific PMA
• Japan AIST, Osaka U.
• Australia APAC
• Singapore BMG
• India CMSD
• Hong Kong HKU CS SRG
• Korea KISTI
• Taiwan NCHC
• USA NPACI
• China SDG, IHEP Beijing
• Malaysia USM
• Taiwan ASGCC

13
APGridPMA

• (Material provided by David Groep, IGTF chairman,
  from TF-EMC2 update Sep 05
• www.apgridpma.org
• Features
• 13 members from the Asia-Pacific
  Region,chaired by Yoshio Tanaka (AIST)
• 7 Production CAs
• Experimental CA Profile
• Member organizations/countries
• Canonical list https//www.apgrid.org/CA/Certific
  ateAuthorities.html

• AIST (Japan)
• APAC (Australia)
• BMG (Singapore)
• CMSD (India)
• HKU CS SRG (Hong Kong)
• KISTI (Korea)
• NCHC (Taiwan)

• NPACI (US)
• Osaka U. (Japan)
• SDG (China)
• USM (Malaysia)
• IHEP Beijing (China)
• ASGCC (Taiwan)

14
Certificate Profiles

• Classic PKI
• DOEGrids as example
• Short Lived Certificate Services
• Rotary example
• Other work
• Experimental
• Use at conferences, demos, short term projects
• Bridge PKI
• Grid PKI has no concept of policy mapping or
  levels
• Grid PKI has no concept of transitive trust
• US HEBCA needs this profile
• Other services may be required as a result
• Active Credential Store PKI
• Extend the MyProxy model link a CA to
  credential store
• Core problem Service owns user private keys.

15
Classic X.509 Certificate Profile

• Comprehensive Security Requirements for CA
  services
• Evolved Grid operational needs vs Security best
  practices
• Hardware Security Modules or Offline operation
• Two fairly distinct classes of end-entity
  certificates
• Hosts and Grid services essentially TLS
  server certs
• Evolving concepts of ownership and rights
• Users and software agents Client certificates
• Strict Identity management and verification
  requirements
• We concentrate on this class here but hosts
  equally important
• Missing not yet defined software signing
  certificates for abstract entities (processes)

16
DOEGrids Classic X.509 PKI
Offline Vaulted Root CA
Grid User
PKI Systems
Hardware Security Modules
HSM
Firewall
Internet
Access controlled racks
Secure Data Center
Building Security
LBNL Site security
Intrusion Detection
17
Grid Classic PKIPeople Certificate Workflow
Registration Manager (RM) PKI1.DOEGrids.Org
4
CA
Sponsor
2
4
3
Project DBMS
5
Registration Authority (RA) Agent
Subscriber
7
6

• Subscriber requests Certificate
• RM posts signing request notice
• The RA for the Subscriber retrieves request
• The RA agent reviews request with Grid project
• The agent updates/approves/rejects request
• Approved Certificate Request is sent to CM

Certificate Manager (CM) (Certificate Signing
Engine)

1. CM issues certificate
2. RM sends Email notice to Subscriber
3. Subscriber picks up new certificate

18
Short Lived Certificate Service Architecture
Sources of Identity
Grid Identity Mint
Short lived Grid Identity/Proxy/Attribute
Certificates
LDAP
Authentication Protocol Query/Response
Kerberos
slic
slic
RADIUS
slic
slic
Shibboleth IdP
slic
slic
Certificate Authority
Windows Domain
CA can rotor through suite of authentication
methods as needed
Other PKI
Add custom extensions / delegations as needed
Local Site / VO Authentication infrastructure
19
FNAL KCA Workflow
FNAL Kerberos KDC

• FNAL User certificate workflow
• Authenticate to KDC
• Receive Kerberos TGT
• Present Kerberos ticket and CSR to CA
• KX509 CA returns short lived certificate
• Use certificate with Grid services or local Web
  pages

FNAL Account Services
Update
1
2
3
FNAL KX509 Certification Authority
4
5
Grid resources (FNAL, external)
20
Rotary SLCS

• Concept is expansion of KX509 like operation
  from enterprise to the scope of a Virtual
  Organization, and national network resource
• Mostly, a matter of integration and federation
• The federation agreements and interop are not
  trivial
• Shibboleth, and rotary concept, need testing
• CA can be replicated into (secure) sites
• Our HSM technology may be able to change the
  definition of secure site

21
Certificate Validation Service

• Outsource certificate trust decisions to a
  trusted service
• Benefits
• Light client maintains one relationship, not
  10s-100s
• Obviously, we cannot expect to eliminate ALL
  client trust decisions, nor is that desirable.
• Service can adapt more rapidly to changing
  conditions
• Replication of validation service can be managed
  more effectively
• Provide certificate path discovery and path
  validation for bridge PKI architecture
• Essential for Grid support of Higher Education
  Bridge CA
• OCSP is a subset, and analogy
• Online Certificate Status Protocol
• However some OCSP deployment scenarios
  exacerbate existing scaling problems.

22
Conclusion

• Contacts
• IGTF David Groep davidg_at_eugridpma.org
• TAGPMA Darcy Quesnel - darcy.quesnel_at_canarie.ca
• HEBCA Scott Rea - Scott.Rea_at_Dartmouth.edu
• DOEGrids doegrids-ca-1_at_doegrids.org
• (Dhiva, Tony Genovese, Mike Helm)