Grid Security

Document Sample
Grid Security Powered By Docstoc
					 Authorization WG
      David Kelsey
EU Grid PMA, Copenhagen
      27 May 2008
• EUGridPMA Working Group on Policy Management
  for Grid Authorisation
    – Mandate and aims
• To prepare recommendations on policy and global
  trust issues related to Grid Authorisation (AuthZ)
• The initial list of issues will include:
    – Minimum requirements and best practice for the operation of
      a Grid AuthZ attribute authority
    – Minimum requirements and best practice for Virtual
      Organisation user and service membership management
    – Accreditation of Attribute Authorities (AA)
    – Accreditation of Virtual Organisations and their membership
      management procedures
27 May 08                EU Grid PMA, Kelsey                    2
                Mandate (2)
    – Repositories and distribution of accredited
      AA roots of trust
    – Technical details of attribute signing and
      trust validation
• To recommend how IGTF could handle the definition
  of AuthZ policy and related accreditation during the
  next 3 to 5 years, taking into account the move
  towards a sustainable EU Grid Infrastructure and
  constituent national Grids

27 May 08            EU Grid PMA, Kelsey                 3
            Mailing list members
•   M Altunay                    •   D Kelsey
•   J Basney                     •   O Koeroo
•   V Ciaschini                  •   D Kouril
•   R Cowles                     •   A McNab
•   G Garzoglio                  •   D O’Callaghan
•   D Groep                      •   M Sova
•   M Helm                       •   Y Tanaka
•   E Imamagic                   •   C Triantafyllidis
•   J Jensen                     •   W Weisz
•   C Kanellopoulos              •   J Wolfrat

27 May 08             EU Grid PMA, Kelsey                4
            Discussion on mandate
• Several suggestions received
• First mandate for this WG should be to set up a list of all known
  AuthZ tools for the Grid environment available and in
    – To determine actual and near future best practice
• Especially it should help to discern advantages and
  disadvantages of SAML assertions versus Attribute certificates
  versus attributes directly included in proxy certificates.
• This could guide us in the more theoretical aspects of the WG

27 May 08                   EU Grid PMA, Kelsey                       5
               Discussion (2)
• Policy implications for VOs and VO service
  providers are essentially the same whatever
  signing and attribute/assertion technology is
• Perhaps there is scope for an AAOPS in
    – need for implementations that work, as opposed to
      blue sky protocol design

27 May 08            EU Grid PMA, Kelsey              6
               Discussion (3)
• I agree that we may start with working on
  VOMS; however, staying implementation-
  independent, as much as possible, would
  help us in the long run
• How LoA of the underlying AuC assertions
  affect what AuZ can do
    – This leads to a sort of risk assessment framework
    – If I have a precious resource, I need high quality
      AuC assertions underneath it.
27 May 08             EU Grid PMA, Kelsey                  7
                     Policy models
• Attribute Authority Service Profile
    – Based on VOMS
            • Can we make it technology independent?
    – This should be written
• VO procedures
    – JSPG working on two documents
            • VO Registration Policy
            • VO Membership Management Policy
    – Probably don’t need another one!
27 May 08                   EU Grid PMA, Kelsey        8
                     Scaling issues
• Today in EGEE
    – ~200 VOs (mix of global, international, regional,
      national, local)
    – # VOMS servers (how many?)
            • Need to quantify
• Future EGI/NGI world
    – ~35 to 40 Grids in Europe
• EU Grid PMA
    – Accredits ~2 per meeting and reviews ~4
27 May 08                    EU Grid PMA, Kelsey          9
• Options
    – Existing IGTF PMAs
    – Form new AuthZ PMAs
    – Large Grids (EGEE, OSG etc)
    – NGIs
    – Or mix of some/all of these

27 May 08         EU Grid PMA, Kelsey   10
                   Accreditation (2)
• My personal preferences (not discussed yet)
• IGTF defines the standards
• Others do accreditation
    – With IGTF members
    – Important to have feedback into standards
• Large Grids or Coordination (call it EGI)
    – Accredit Global VOs
    – And run AA services for them
            • Accredited by IGTF

27 May 08                     EU Grid PMA, Kelsey   11
                   Accreditation (3)
• Every VO should have a home Grid
    – Runs the AA services
            • NGI AA service is accredited by IGTF or EGI
    – Accredits the VO procedures
• Bootstrap
    – Prepare draft profiles (AA and VO)
    – Accredit a small number of global VOs
    – Feedback and improve profiles

27 May 08                    EU Grid PMA, Kelsey            12
              AC validation
• Document from OSG
• Attribute Certificate Validation in OSG
    – Mike H to say more?

27 May 08         EU Grid PMA, Kelsey       13
            Meetings and plans
• Work should start on the draft AA profile
    – Needs a small team
    – Then wider discussion
• I propose to hold a workshop
    – Early autumn
    – EGEE’08?
    – Joint with EU Grid PMA Lisbon meeting?
27 May 08          EU Grid PMA, Kelsey         14

27 May 08    EU Grid PMA, Kelsey   15