INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

JRA3 2nd EU Review Input

David Groep

NIKHEF

JRA3 EU Review Input DavidG December 7th 2005 2

Enabling Grids for E-sciencE

INFSO-RI-508833

EUGridPMA Authentication Federation

• Federation consists of many independent CAs– Common minimum requirements– Defined and ‘strong’ acceptance process– “reasonable” trust level, as required by relying parties– no ‘hierarchical top’ to make formal guarantees

• Membership– 34 Identity providers (national and regional CAs)– 6 Relying parties (large projects like EGEE, DEISA, SEE-GRID,

OSG, LCG) and TERENA

CA 1CA 1 CA 2CA 2

CA 3CA 3CA nCA n

chartercharter

guidelinesguidelines

acceptanceprocess

acceptanceprocess relying

party 1

relying party 1

relying party n

relying party n

JRA3 EU Review Input DavidG December 7th 2005 3

Enabling Grids for E-sciencE

INFSO-RI-508833

The EUGridPMA

• Virtually complete coverage of Europe, accreditation for EGEE, DEISA, SEE-GRID, LCG, OSG, ..

• Actively fostered and by supported by JRA3

Green: countries and regions covered by a national CA in the EUGridPMA

JRA3 EU Review Input DavidG December 7th 2005 4

Enabling Grids for E-sciencE

INFSO-RI-508833

Policy Evaluation Framework

• Policy evaluation based on Authentication Profiles– Authorities demonstrate compliance with these guidelines– Peer-review process within the federation

to (re-) evaluate members both on entry and periodically– Codified in the Accreditation Guidelines policy since 2004– Demonstrated in practice in ~10 new accreditations since

• Benefits– Reduces effort on the relying parties

single document to review and assess, applicable to all providers

– Reduce cost on the identity providers no audit statement needed by certified accountants but participation in the federation does come with a price

• Ultimate decision always remains with the administrative owners (relying parties)

JRA3 EU Review Input DavidG December 7th 2005 5

Enabling Grids for E-sciencE

INFSO-RI-508833

Authentication Profiles

Three main Authentication Profiles (the requirement sets)common not only for Europe, but also for the Asia Pacific & Americas

• Certification authorities with secured infrastructure– Highly trusted by all current grid projects– Leverages national structures effectively

• Short-lived credential services– Leverage existing local site mechanisms– New profile to be pioneered in the Americas, but far from stable

and has not yet been exposed to many relying parties

• Experimental Service– Jumpstart new national and regional CAs via a pilot service– Successful model in the Asia Pacific region

JRA3 EU Review Input DavidG December 7th 2005 6

Enabling Grids for E-sciencE

INFSO-RI-508833

Extending Trust: the IGTF

• common, global best practices for trust establishment• better manageability and response of the PMAs

TAGPMA APGridPMA

JRA3 EU Review Input DavidG December 7th 2005 7

Enabling Grids for E-sciencE

INFSO-RI-508833

IGTF Structure

• Each PMA can accredited authorities according to any of the valid authentication profiles (classic secured PKI, short-lived credential services, experimental)

• Common standards• Coordinated naming

(every name within the IGTF is unique)

• Common accreditation process

• Three chairs collectively represent the IGTF (formal IGTF chair rotates yearly)

• First IGTF Chair is from Europe …

JRA3 EU Review Input DavidG December 7th 2005 8

Enabling Grids for E-sciencE

INFSO-RI-508833

IGTF, GGF and TACAR

• The IGTF, GGF (the CAOPS-WG) and TERENA work together to establish the global trust fabric

JRA3 EU Review Input DavidG December 7th 2005 9

Enabling Grids for E-sciencE

INFSO-RI-508833

Towards common AAI in Europe

A Common Authentication and Authorization Infrastructure

• described in the e-IRG Authorization Roadmap section• collaboration with developments like eduroam™

via TERENA forae• the single sign-on vision

• the authentication bridges, the authorization framework, on-demand user attribute discovery, all work towards this goal

On a wireless mobile network while visiting abroad, then decide to lookup the data from the latest experiment your colleague in your Virtual Organization did,

and run a simulation to look alternate scenarios,all that with just using your credentials (password, smartcard) only once!

JRA3 EU Review Input DavidG December 7th 2005 10

Enabling Grids for E-sciencE

INFSO-RI-508833

SAC slides to follow

JRA3 EU Review Input DavidG December 7th 2005 11

Enabling Grids for E-sciencE

INFSO-RI-508833

Site Access Control ingredients

global issues

service business logic

site access control

User policies

VO policiesEstablishing

Trusted Third Parties

Key storage

MyProxy

System account creation

workernode to headnode communications

Access control to individual files Router port filtering

DDoS protection

Identities &Certificates

Identities &Certificates

Site policy actions& policy decisions

Site policy actions& policy decisions

virtualization &system accounts

virtualization &system accounts

connectivityprovisioning

connectivityprovisioning

loggingauditing

loggingauditing

JRA3 EU Review Input DavidG December 7th 2005 12

Enabling Grids for E-sciencE

INFSO-RI-508833

Virtualization and System Accounts

• JRA3 ingredients: LCAS, LCMAPS, glexec• Aim is the fully interoperable job submission chain:

GT4, CondorC/BLAHP, GT Work Space Service• Components part of the gLite 1.5 release