Essential 4 - SSID Anomalies Training v1.02 SSID ANOMALIES Essential 4.
2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID:...
-
date post
19-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of 2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID:...
2nd APGrid PMA F2F MeetingOsaka University Convention CenterOsaka University Convention Center
October 15October 15
Wireless LANWireless LANSSID: PRAGMA11SSID: PRAGMA11
Wep key: PRAGMA11JAPANWep key: PRAGMA11JAPAN
Notes
This room is basically NO FOOD and NO DRINK.This room is basically NO FOOD and NO DRINK.But drink can be overlooked
We will have two coffee/tea breaks and a lunch break.We will have two coffee/tea breaks and a lunch break.Coffee/tea will be served in front of this roomLunch will be served in the different building
PRAGMA Welcome Reception will start at 6:30pm at Senri-PRAGMA Welcome Reception will start at 6:30pm at Senri-Hankyu Hotel.Hankyu Hotel.
Bus will depart here at 17:18Agenda and materials available on the web site at:Agenda and materials available on the web site at:http://www.apgridpma.org/meetings/index.html
Call for volunteers for taking minutesCall for volunteers for taking minutesNative speakers are appreciated
Recap of CA, PMA, and IGTF22ndnd APGrid PMA F2F Meeting APGrid PMA F2F Meeting
Osaka University Convention CenterOsaka University Convention CenterOctober 15October 15
Yoshio TanakaYoshio TanakaAPGrid PMA / IGTF ChairAPGrid PMA / IGTF Chair
AIST, JapanAIST, Japan
Outline
History and status of the PMA and IGTFHistory and status of the PMA and IGTFIntroduction of the APGrid PMAIntroduction of the APGrid PMA
ActivityResponsibilityObligation
Introduction of the IGTFIntroduction of the IGTFActivityResponsibilityObligationRelationship with the PMA
Some notes for operating a certificate authoritySome notes for operating a certificate authority
Grid SecurityGSI is based on X.509 certificates and PKI.GSI is based on X.509 certificates and PKI.
Most organizations are launching their own Certificate Authorities (CA) for issuing end-entity certificates for users, hosts, services.Proxy Certificates (RFC3820) for single sign on and delegation
A Virtual Organization (VO) is implemented by A Virtual Organization (VO) is implemented by federations of multiple security domains.federations of multiple security domains.
Grid Security (cont’d)
The most popular multi-doThe most popular multi-domain PKI architecture (in Gmain PKI architecture (in Grid) is cross-recognitionrid) is cross-recognition
Independent CAs would somehow be licensed or audited by a mutually recognized trusted authority.e.g.
AIST trusts KISTI CA operated by KISTI, Korea.KISTI trusts AIST GRID CA operated by AIST.
CACA globus
CACA globusCACA globus
CACA globus
CACA globus
CACA globus
CACA globus
CACA globus
CACA globus
Status and challenges
Need AuthN and AuthZ federationNeed AuthN and AuthZ federationwithin a VO, and between VOs
AuthN federationAuthN federationfoundation for building/experimenting with Gridsneed to coordinate security (CA) policies
AuthZ federationAuthZ federationstill a grand challenge
CACA CACA
CACACACA
EUGrid PMA
CACA
CACACACA
CACA
CACA
CACA
APGrid PMA
CACA
CACA
CACA
CACA
TAG PMA
Regional PMA is responsible for coordination of security policies within the region
Three PMAs compose IGTF
Target: AuthN federation
Problems of authentication federationsProblems of authentication federationsAll CAs should keep the same level of operation.
How the CA is securely operated?Use HSM? Dedicated CA room?
…All CAs should have no conflict in policy
How the CA identifies end entities?Use face-to-face meeting? Telephone? Email? etc.
…Policy Management Authority (PMA) is a coordinatiPolicy Management Authority (PMA) is a coordination body of CA policies and operations.on body of CA policies and operations.
EUDG CACG was the pioneer
The EU DataGrid in 2000 needed a PKI for the test bedThe EU DataGrid in 2000 needed a PKI for the test bed Both end-user and service/host PKIBoth end-user and service/host PKI CACG (actually David Kelsey) had the task of creating CACG (actually David Kelsey) had the task of creating
this PKIthis PKI for Grid Authentication only no support for long-term encryption or digital signatures
Single CA was not considered acceptableSingle CA was not considered acceptable Single point of attack or failure
One CA per country, large region or international One CA per country, large region or international organizationorganization
CA must have strong relationship with RAs Some pre-existing CAs
A single hierarchy would have excluded existing CAs A single hierarchy would have excluded existing CAs and was not convenient to support with existing and was not convenient to support with existing softwaresoftware
Coordinated group of peer CAs was most suitable Coordinated group of peer CAs was most suitable choicechoice
EUDG CACG was the pioneer (cont’d)
December 2000December 2000: : First CA coordination meeting for the First CA coordination meeting for the DataGrid projectDataGrid project
March 2001March 2001::First version of the minimum First version of the minimum requirementsrequirements5 CAs: 5 CAs: France (CNRS), Portugal (LIP), France (CNRS), Portugal (LIP),
Netherlands (NIKHEF), Netherlands (NIKHEF), CERN, Italy (INFN), UK (UK eScience)CERN, Italy (INFN), UK (UK eScience)
December 2002December 2002::Extension to other projects: EU-Extension to other projects: EU-CrossGridCrossGrid
March 2003: The Tokyo Accord
… … meet at GGF conferences. …meet at GGF conferences. …… … work on … Grid Policy Management work on … Grid Policy Management Authority: GRIDPMA.orgAuthority: GRIDPMA.orgdevelop Minimum requirements – based on EDG develop Minimum requirements – based on EDG workworkdevelop a Grid Policy Management Authority develop a Grid Policy Management Authority CharterCharter[with] representatives from major Grid PMAs:[with] representatives from major Grid PMAs:
European Data Grid and Cross Grid PMA: 16 countries, 19 organizationsNCSA AllianceGrid CanadaDOEGrids PMANASA Information Power GridTERENAAsian Pacific PMA:AIST, Japan; ASCC, Taiwan
Status of PMAs
Currently, there are three regional PMAsCurrently, there are three regional PMAsEUGrid PMA (established May 2004)
Former: EUDG WP6 CA Coordination Group (started in 2002)TAG PMA
Former: DOEGrid PMA (started in 2002)APGrid PMA (established June 2004)
Unofficially started in 2003
Each regional PMA is responsible forEach regional PMA is responsible forcoordination of CA policy within the regioncoordination of CA policy with the other regional PMAs
Three PMAs are the founders of the International Grid Trust Three PMAs are the founders of the International Grid Trust Federation (IGTF)Federation (IGTF)
European Grid PMA
Green: Countries with an accredited CA 23 of 25 EU member states (all except LU,
MT) + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-
all”
Other Accredited CAs: DoEGrids (.us) GridCanada (.ca) CERN ASGCC (.tw)* IHEP (.cn)*
* Migrated to APGridPMA per Oct 5th, 2005
Slide by courtesy of David Groep (EUGrid PMA chair)
The America’s Grid PMA
Argentina UNLPArgentina UNLPBrazilian Grid CABrazilian Grid CACANARIECANARIEDOEGridsDOEGridsEELA LA Catch allEELA LA Catch allESnet/DOE Office SciencESnet/DOE Office ScienceeFNALFNALMexico UNAMMexico UNAMNCSANCSA
ClassicSLCS
Purdue Univ. TeraGridPurdue Univ. TeraGridREUNA Chilearn CAREUNA Chilearn CATACCTACC
RootClassicSLCS
VenezuelaVenezuelaUniv. of Virginia USHERUniv. of Virginia USHER
Dartmouth HEBCADartmouth HEBCAEELAEELAOSGOSGSDSCSDSCSLCSSLCSTeraGridTeraGridTHEGridTHEGrid
14 CAs, 7 Relying Parties
CA CA RP
Asia Pacific Grid PMA
General Policy Management Authority in Asia PacificGeneral Policy Management Authority in Asia PacificNot specific for ApGrid, Not specific for PRAGMA…
Launched on June 1Launched on June 1stst, 2004, 2004
Defines minimum CA requirementsDefines minimum CA requirements
APGrid PMA approved that we accept two levels of CA:APGrid PMA approved that we accept two levels of CA:Experimental-level CA
Alternative of the Globus CACan be trusted within A-P communities
Production-level CAStrict management is necessaryExpected to be trusted by international communities
Two membershipsTwo memberships13 Ex officio membership4 General membership
Members (13 + 4)9 Accredited CAs9 Accredited CAs
In operationAIST (Japan)APAC (Australia)ASGCC (Taiwan)CNIC (China)IHEP (China)KEK (Japan)KISTI (Korea)NAREGI (Japan)
Will be in operation
NCHC (Taiwan)
2 CA under review2 CA under reviewNECTEC (Thailand)NGO (Singapore)
1 CA will be ready for re1 CA will be ready for review soonview soon
PRAGMA (USA)PlanningPlanning
ThaiGrid (Thailand)General membershipGeneral membership
Osaka U. (Japan)U. of Hong Kong (China)U. of Hyderabad (India)U. of Sains Malaysia (Malaysia)
History of IGTF activities
Continuous discussions between AP, EU, and TAG PMA for International Continuous discussions between AP, EU, and TAG PMA for International Grid Trust Federation.Grid Trust Federation.
GGF12 and EUGrid PMA meeting@Brussels, September 2004GGF13@Seoul, March 2005EUGridPMA meeting@Tallinn, May 2005GGF14@Chicago, June 2005GGF15@Boston, Oct. 2005
IGTF was officially launchedAPGrid PMA F2F meeting@Beijing, Dec. 2005GGF16@Athens, Feb. 2006TAGPMA meeting@Rio, March 2006GGF17@Tokyo, May 2006EUGridPMA meeting@Budapest May 2006TAGPMA@Ottawa, July 2006GGF18@DC, September 2006EUGridPMA meeting@Karlsure, September 2006APGridPMA meeting@Osaka, October 2006
Timeline
March 2005: IGTF Draft Federation Document March 2005: IGTF Draft Federation Document GGF13GGF13
July 27July 27thth : APGridPMA approved version 0.7 : APGridPMA approved version 0.7
September 28September 28thth: EUGridPMA approval version 0.9: EUGridPMA approval version 0.9
October 5October 5thth: TAGPMA approved version 1.0: TAGPMA approved version 1.0
October 5October 5thth: formal foundation of the IGTF: formal foundation of the IGTF
Slide by courtesy of David Groep (EUGrid PMA chair)
Agenda
• IGTF Logo and style– Tony Genovese, LBNL/ESnet
• Updates from regional PMAs (5”)– APGrid PMA (Yoshio)– EUGrid PMA (David)– TAGPMA (Darcy)
• Authentication Profiles– Member Integrated Credential Services AP (Tony) (10”)– Classic AP Updates (David) (10”)– Root Certificate AP (Yoshio) (5”)
• Profile change process (Yoshio) (5”)• Business issues (Yoshio) (5”)
– Review of the mailing list– Distribution frequency
• AOB
Scope of the APGrid PMA
Manage the PMA membershipManage the PMA membershipDefine charter and minimum CA requirementsDefine charter and minimum CA requirementsPublish related documentsPublish related documentsMaintain and revise the documentsMaintain and revise the documentsAccredit authorities with respect to the minimum CA requireAccredit authorities with respect to the minimum CA requirementsmentsCoordinate auditing and re-certification of accredited authorCoordinate auditing and re-certification of accredited authoritiesitiesMonitor member CA signing namespacesMonitor member CA signing namespacesOperate a secure collection point for information about accrOperate a secure collection point for information about accredited CAsedited CAsBe primarily concerned with Grid communities in Asia PacifiBe primarily concerned with Grid communities in Asia Pacific, and their external partnersc, and their external partners
APGrid PMA membership
General membershipGeneral membershipOsaka U., U. HongKong, U. Hyderabad, USMNo voting rights, no obligation
Ex officio membershipEx officio membershipAIST, APAC, ASGCC, CNIC/SDG, IHEPKEK, KISTI, NAREGI, NCHC, NECTECNGO, SDSC, Thai GridVoting right, and obligation to vote
APGrid PMA responsibilities
CP/CPSCP/CPSResponsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific.
Other documentsOther documentsCharterMinimum CA requirementsAuthentication Profiles
APGrid PMA responsibilities (cont’d)
Accreditation ProceduresAccreditation Procedures1. A prospective authority requests the PMA to be approved as a
production-level CA.2. The prospective authority sends the CP/CPS and the other
related documents to the PMA3. The chair will ask two PMA members to review the CP/CPS in
details. All the other PMA members must review the CP/CPS as well.
4. If the first version has obvious inconsistencies, the chair may defer appointing the referees until the appropriate changes have been implemented.
5. After sufficient iteration the CP/CPS is considered ready for presentation at the meeting.
6. At the meeting, it should be presented in person to the PMA.7. Based on the comments by the assigned reviewers and the
discussion in the meeting, the prospective authority may either be approved immediately by the PMA, or this may be deferred until the recommended changes are implemented.
APGrid PMA responsibilities (cont’d)
AuditAuditAPGrid PMA is doing external auditingThis is an unique activity, but the other two PMAs are interested in auditing.
OperationOperationEvery CA must be responsible for its operation. The PMA is NOT an operation unit byt a policy management authority.
ObligationObligationAll PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.
General Architecture of the IGTF
Member PMAs are responsible for accrediting authoritiesMember PMAs are responsible for accrediting authoritiesThe IGTF maintains a set of authentication profiles (APs) thThe IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class at specify the policy and technical requirements for a class of identity assertions and assertion providers.of identity assertions and assertion providers.Each AP is assigned by the IGTF to a specific member PMA.Each AP is assigned by the IGTF to a specific member PMA.
Classic AP (EUGrid PMA)Short Lived Credential Services (SLCS) AP (TAGPMA)Member Integrated Credential Services (MICS) AP (TAGPMA)
General Architecture of the IGTF (cont’d)
Proposed changes to an AP will be circulated to all Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs.chairs of the IGTF member PMAs.All of the PMA chairs, after approval by their PMA, All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes befare required to endorse the proposed changes before the modified AP will come into effect.ore the modified AP will come into effect.Example:Example:
EUGridPMA proposed to change Classic AP and they approved at the last meeting.APGird PMA will review the proposed new Classic AP at this meeting.
General Architecture of the IGTF (cont’d)
Authorities accredited by a PMA are Authorities accredited by a PMA are always subject to the policies and always subject to the policies and practices of a specific AP as decided by practices of a specific AP as decided by the accrediting PMA.the accrediting PMA.
Any changes to the policy and Any changes to the policy and practices of a authority after practices of a authority after accreditation will void the accreditation will void the accreditation unless the changes have accreditation unless the changes have been approved by the accrediting PMA been approved by the accrediting PMA prior to their taking effect.prior to their taking effect.
Requirements for accredited authorities
Maintain at least one contact mechanism which mMaintain at least one contact mechanism which must allow for un-moderated access to report probleust allow for un-moderated access to report problems and faults regarding the authority by the relying ms and faults regarding the authority by the relying parties and genral public.parties and genral public.This point of contact shall be made known to the aThis point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-pubccrediting PMA and the IGTF for subsequent re-publishing.lishing.Must disclose to the accrediting PMA and to the geMust disclose to the accrediting PMA and to the general public its documented policies and practices.neral public its documented policies and practices.
Implementation of the federation
Each PMA maintains information of all accredited CAs.Each PMA maintains information of all accredited CAs.Root certificateCRL Distribution PointPoint of contactSigning policy filePoint to the CP/CPS
Information of the all PMA is packed into a single tarball/RPM and distributed aInformation of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distributions an IGTF CA distribution
No hierarchies. All accredited CAs are included in a flat structureOnce you will be accredited by the APGrid PMA, you will be an IGTF-accredited CA
IGTF CA distribution is released in every three weeksIGTF CA distribution is released in every three weeksDavid Groep will notify all member CAs the plan of the new release to ask reports of any updates.Distribution frequency is flexible.
The information is stored in the CVS repository maintained by the EUGrid PMAThe information is stored in the CVS repository maintained by the EUGrid PMAYoshio, Mason, and Darcy have accounts on the CVS serverIf you have modified CA cert, etc., please let me know.
IGTF CA distribution is available from the EUGrid PMA web site and the APGrid IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site.PMA web site.APGrid PMA is planning to mirror the CVS server as wel.APGrid PMA is planning to mirror the CVS server as wel.
Implementation of the federation (cont’d)
IGTF maintains an ML for announcementIGTF maintains an ML for announcementIGTF: [email protected]
APGrid PMA: [email protected] PMA: [email protected]: [email protected]
Appendix: Issues to be considered for operating authorities
Read authenticaRead authentication profile and minimum CA tion profile and minimum CA requirements carefullyrequirements carefullyDesign your CA (some of the issues need to Design your CA (some of the issues need to be considered)be considered)
Applicability of issued certificatesCA/RA responsibilitiesIdentity validation process of end entitiesImplementation
Structure of CA: online or offline?Structure of RAs networkSecure communication of RAs and CAWeb repository
Archived logsProperties of CA, user, host and service certificates and private keys:
Certificate DNsCertificate extensions
Appendix: Issues to be considered for operating authorities (cont’d)
DraftDraft CP/CPS CP/CPS
Implement and operate the CAImplement and operate the CA
MUST COMPLY with the CP/CPSMUST COMPLY with the CP/CPS
Auditor is especially interested inAuditor is especially interested inHow the lifecycle of certificates is kept secure.
How a CSR is sent to RA/CAIdentity vetting (F2F)How the RA communicate with the CAHow the CA signing machine is securely administrated.
HardwareOperationCA private key
How the issued certificate will be sent to the end entity
Are archived logs enough to trace anything if something wrong would happen?
Summary
You are a member of the APGrid PMA as well as thYou are a member of the APGrid PMA as well as the IGTFe IGTFYou have responsibility for being a member of the You have responsibility for being a member of the APGrid PMA and the IGTFAPGrid PMA and the IGTFYour CA must appropriately be operated and complYour CA must appropriately be operated and comply with the CP/CPSy with the CP/CPSPMA was developed based on grass-root approach, PMA was developed based on grass-root approach, but it has become globally-recognized organization.but it has become globally-recognized organization.Your contribution is necessary for further developmYour contribution is necessary for further development of PMA and IGTF.ent of PMA and IGTF.