EGI-InSPIRE Policy Issues for Identity Management (and other

EGI-InSPIRE Policy Issues for Identity Management (and other

EGI-InSPIRE Policy Issues for Identity Management (and other attributes) EGI Technical Forum (Sep 2010) NRENs & Grids workshop David Kelsey EGI-InSPIRE RI-261323 www.egi.eu Outline Identity Management for Grids The Grid security model - history The PMA approach (Some) Lessons learned Recent developments How can Grids and NRENs/Federations

work together? 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 2 www.egi.eu The Grid security model Started to build an X.509 PKI in 2001 The only feasible solution at the time EU DataGrid, CrossGrid, LCG, EGEE, USA, Asia ... Single electronic ID to be used everywhere All Grids, All VOs (needs Trust) Single registration at VO (AuthN independent) Single Login (per session)

Require (identity) Delegation AuthZ attributes come from a VO authority Shared security policies (JSPG -> EGI SPG) 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 3 www.egi.eu The PMA model Policy Management Authority Started as The CA Coordination Group 2001-03 and already global in scope EUGridPMA started in 2004 International Grid Trust Federation (IGTF) Oct 2005 3 PMAs (EU, Asia and Americas)

Minimum standards for operating a CA And the various Registration Authorities Peer review (accreditation) by other CA operators PMAs include Relying Parties (important aspect) Regular self audit and peer review 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 4 www.egi.eu Geographical coverage of the EUGridPMA 25 of 27 EU member states (all except LU, MT) + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CERN (int), DoEGrids(US)*

Pending or in progress David Groep [email protected] SY, ZA, SN OGF28 CAOPS/IGTF Mar 2010 - 5 TAGPMA Membership ANSP - Brazil NRC Canada ESnet (DOEGrids) USA EELA International Fermi National Accelerator Laboratory - USA HEBCA/USHER/Dartmouth College USA IBDS (ANSP) - Brazil WLCG International NCSA USA NCSA CILogon NERSC USA

NICS UT/ORNL USA NIH Dorian - USA Open Science Grid International Purdue University USA REUNA Chile San Diego Supercomputer Center USA SENAMHI Peru TACC USA TeraGrid (PSC) USA Texas High Energy Grid USA University of Virginia USA UFF Brazil ULA Venezuela UNAM Mexico UNIANDES - Colombia IGTF Accredited CA Operators UNLP Argentina CA Accreditation in progress Interested in accreditation 6

Relying Party APGridPMA Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI (KR) NAREGI (JP) NCHC (TW) NECTEC (TH) NGO/Netrust (SG) PRAGMA-UCSD (US) HKU (HK) Mongolia - under

accreditation Coverage by RAs Philippine, Vietnam, Malaysia, Indonesia, New Zealand & Sri Lanka (soon) CA: 9 Countries RA: + 6 Countries New: +1 Country (some) Lessons learned Grids multi-national right from the start And meeting needs of many communities Impossible to agree to a single root CA Which level of assurance should we aim for? But had to satisfy e.g. Life Sciences Decided on one level with face-to-face identity vetting with photo ID (like NIST 800-63 level 2)

No way we could use bilateral contracts between IDPs and relying parties Trust must come from the IGTF & Grid sec policies 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 8 www.egi.eu Recent work Scale-up by building on other Identity Management systems Does not make sense to duplicate work done by others Identity is best managed by the home institute Member Integrated Credential Services and Short-Lived Credential Services issue Grid

certificates on the basis of other well-managed IDPs Kerberos, Active Directory, Academic federations, ... 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 9 www.egi.eu Policy issues - federations E.g. New TERENA eScience Personal Certificate Service Issues Grid certificates on basis of membership of national federation IGTF can no longer audit all identity vetting processes and RAs We need to be sure that the Level of

Assurance is as expected Addressed by contract TERENA/NREN/Inst 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 10 www.egi.eu Other attributes? Identity best managed by Home Institute Authorisation Attributes (VO groups, roles, rights ...) must be managed by the appropriate application community (VRC) Attributes need to come from multiple authorities and then should be merged All-round Trust is needed Standards are needed for AuthZ attributes too (work started)

15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 11 www.egi.eu NRENs & Grids? Or Academic Federations and Grids Some personal thoughts We should encourage more Grid participation in the Federations activities (e.g.REFEDS) Co-location of meetings in Prague May 2011 We could jointly work on best practices for Registration Authorities (identity management) More work also required in: LoA: should IGTF align with NIST 800-63?

merging attributes, audit procedures 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 12 www.egi.eu Questions? 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 13 www.egi.eu Links

EUGridPMA http://www.eugridpma.org/ IGTF http://www.igtf.net/ REFEDS http://refeds.terena.org/ EGI SPG https://wiki.egi.eu/wiki/SPG 15 Sep 2010 EGI-InSPIRE RI-261323 Kelsey/Policy for Identity Management 14 www.egi.eu

Recently Viewed Presentations

  • The Financial Aid Process

    The Financial Aid Process

    Primary goal is to assist students in paying for college and is achieved by: Evaluating family's ability to pay for educational costs. Distributing limited resources in an equitable manner. Providing a balance of gift aid and self-help aid. Implement federal...
  • Kinetics & Thermodynamics

    Kinetics & Thermodynamics

    & Collision Theory Collision Theory In order for a chemical reaction to take place effective collisions must occur between reactants. Collisions are only effective if they have enough kinetic energy to overcome the activation energy AND the molecules must be...
  • SCRAMER - CRI-Lab

    SCRAMER - CRI-Lab

    --uts=host allows the container to see and change the host name and domain. --cap=add=SYS_ADMIN allows the container to remount /proc and /sys in write mode. With some storage drivers (e.g., AUFS), Docker does not limit containers disk usage. The volume...
  • Chapter 8: Covalent Bonding

    Chapter 8: Covalent Bonding

    Chapter 8: Covalent Bonding Matter takes many forms in nature: In this chapter, we are going to learn to distinguish the type of compound that we have already studied, the "ionic compound" (which contains oppositely-charged particles: metal cations and non-metal...
  • Forma e formazione dei governi - uniroma1.it

    Forma e formazione dei governi - uniroma1.it

    Il primo ministro è il leader politico dell'esecutivo e capo del governo. ... Il leader della CDU/CSU (Helmut Kohl) fu nominato formatore perché controllava il partito più grande. Ovviamente, Helmut Kohl non andrà a formare un governo che non comprende...
  • VPP overview fd.io Foundation Agenda Overview Structure, layers

    VPP overview fd.io Foundation Agenda Overview Structure, layers

    Introducing VPP (the vector packet processor) Accelerating the dataplane since 2002. Fast, Scalable and . Determinisic. 14+ Mppsper core. Tested to 1TB. Scalable FIB: supporting millions of entries
  • Malaria in Pregnancy

    Malaria in Pregnancy

    Transforming Intermittent Preventive Treatment of Malaria in Pregnancy for Optimal Pregnancy, funded by Unitaid, 2017-2022: The introduction of IPTp in the early 2000s increased opportunities for pregnant women to protect themselves and their unborn babies from the detrimental consequences of...
  • MCP PLC - unece.org

    MCP PLC - unece.org

    3rd Executive Forum on Trade Facilitation The Felixstowe Cargo Processing system Presented by Alan Long Maritime Cargo Processing Plc MCP plc Maritime Cargo Processing Plc was set up to manage, market, sell, develop and enhance the integrated port information system,...