Credentials for Global High Performance/Grid Computing Research
Community Scott Rea
iTrust Forum, NIH, Bethesda, MDDec 10, 2009
2Scott Rea – [email protected]
Global Research Community
– The international research community is deploying large scale distributed computing grids on a production scale, across organizations, countries, and even continents, for the advancement of science and engineering etc. E.g.
– The Large Hadron Collider near Geneva– Pittsburgh Supercomputing Center– Lawrence Berkeley National Laboratory– TeraGrid– Open Science Grid– UK eScience Grid– …
– In shaping this common grid infrastructure, many of these grids are relying on common practices, policies and procedures to reliably identify grid subscribers and resources.
– The International Grid Trust Federation was established to address this issue of common identity & authentication practices
3Scott Rea – [email protected]
International Grid Trust Federation
• IGTF founded in Oct, 2005 at GGF 15• IGTF Purpose:
– Manage authentication services for global computational grids via policy and procedures
• IGTF goal: – harmonize and synchronize member PMAs policies to establish
and maintain global trust relationships • IGTF members:
– 3 regional Policy Management Authorities• EUgridPMA• APgridPMA• TAGPMA
• ~100 CAs, 75,000+ credentials
4Scott Rea – [email protected]
IGTF – the International Grid Trust Federation
common, global best practices for trust establishment better manageability and coordination of the PMAs
The Americas Grid PMA
Asia Pacific Grid PMA
European Grid PMA
5Scott Rea – [email protected]
Grid characteristics
Some things that may make current edu-grids a bit ‘special’ compared to other distributed (computing) efforts
• inherently federated (multiple organisations involved)• collaboration of individuals from different organisations
– most of the scientific grid communities today consist of people literally ‘scattered’ over many home organisations … internationally
• delegation – programs and services acting on your behalf – are an integral part of the architecture– unattended operation– resource brokering– integrating compute, data access, databases in the same task
• ... resulted in early design choice for end-user PKI ...
6Scott Rea – [email protected]
Virtual vs. Organic structure
• Virtual communities (“virtual organizations”) are many• An individual will typically be part of many communities
– has different roles in different VOs (distinct from organizational role)
– all at the same time, at the same set of resources– but will require single sign-on across all these communities
graphic: OGSA Architecture 1.0, OGF GFD-I.030
7Scott Rea – [email protected]
Trust relationships• For the VO model to work, parties need a trust relationship
– the alternative: every user needs to register at every resource
– need to provide a ‘sign-on’ for the user that works across VOs
Org. Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
Secure Connection
Org. CertificationAuthority
Sub-Domain B1
Authority
AuthZFederationService
VirtualOrganization
Domain
FederatedCertificationAuthorities
graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance
8Scott Rea – [email protected]
Separating responsibilities• Single Authentication token (“passport”)
– key issue: provide a persistent, trusted identifier– issued by a party trusted by all, – recognised by many resource providers, users, and VOs– satisfy traceability and persistency requirement– in itself does not grant any access, but provides
a unique binding between an identifier and the subject
• Per-VO Authorisations (“visa”)– granted to a person/service via a virtual organisation– based on the identifier
– acknowledged by the resource owners– today largely role-based access control
• but providers can also obtain lists of authorised users per VO,
– can still ban individual users– most of the real liability and responsibility goes here
9Scott Rea – [email protected]
Authentication modelDesign and implementation choices made with the emergence of production-
oriented grids in 2000:urgent need and focus was on providing cross-national trustinitially, in the context of the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects
• National PKI– in general uptake of 1999/93/EC and e-Identification is slow– where available a national PKI could be leveraged
• Various commercial providers– Main commercial drive: secure web servers based on PKI– Entrust, Global Sign, Thawte, Comodo, Verisign, SwissSign, QuoVadis, …– primary market is server authentication, not end-user identities– use of commercial CAs solves the ‘pop-up’ problem
... so for (web) servers a pop-up free service is actually needed!
• Grass-roots CAs– usually project specific, and without any documented policies– unsuitable for the ‘production’ infrastructure envisioned in 2000
10Scott Rea – [email protected]
A Federation Model for Grid Authentication
• A Federation of many independent CAs– Policy coordination based on common minimum requirements
(not ‘policy harmonisation’)– Acceptable for major relying parties in Grid Infrastructures
• No strict hierarchy with a single top– leverage of national efforts and subsidiarity– Allow incorporation of many pre-existing CAs
CA 1CA 2
CA 3
CA ncharter
guidelines
acceptanceprocess
relying party 1
relying party n
11Scott Rea – [email protected]
Building the CA federation
• Providers and Relying Parties together shapedthe common minimum requirements
– Authorities compliant with minimum requirements (profile)– Peer-review process within the federation
to (re) evaluate members on entry & periodically
– Reduce effort on the relying parties• single document to review and assess for all Authorities• collective acceptance of all accredited authorities
– Reduce cost on the authorities• but participation in the federation comes with a price
• … the ultimate decision always remains with the RP
12Scott Rea – [email protected]
‘Reasonable procedure … acceptable methods’
• Defined assurance level based on minimum requirements• CP/CPS for “acceptable and trustworthy” Grid CAs
Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.
Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person
Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:
a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network
minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...H
isto
ry
13Scott Rea – [email protected]
March 2003: The Tokyo Accord
Coordination with similar efforts in the rest of the world• … meet at GGF conferences. …• … work on … Grid Policy Management Authority: GRIDPMA.org• develop Minimum requirements – based on EDG work• develop a Grid Policy Management Authority Charter• [with] representatives from major Grid PMAs:
– European Data Grid and Cross Grid PMA: 16 countries, 19 organizations
– NCSA Alliance– Grid Canada– DOEGrids PMA– NASA Information Power Grid– TERENA– Asian Pacific PMA:
AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, ChinaH
isto
ry
14Scott Rea – [email protected]
2005 IGTF – the International Grid Trust Federation
common, global best practices for trust establishment better manageability and coordination of the PMAs
The Americas Grid PMA
Asia Pacific Grid PMA
European Grid PMA
15Scott Rea – [email protected]
New CAs: the Accreditation Process
Accreditation Guidelines for IGTF PMAsBasic elements:• Codification of procedures in a CP(S) for each CA
– de facto lots of copy/paste, except for vetting sections• Peer-review process for evaluation
– comments welcomed from all PMA members– two assigned referees
• In-person appearance during a review meeting• Accreditation after remaining issues are addressed (by e-mail)Discussions remain important, as not all details are codified!
• Accreditation model for each PMA typically embedded in their charter …
• Periodic re-appearance and re-discussion are needed
16Scott Rea – [email protected]
Geographical coverage of the EUGridPMA
23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR,
UA, SEE-GRID + CA, CERN (int), DoEGrids(US)*
Pending or in progress BY, MD, SY, LV, ZA, SN
18Scott Rea – [email protected]
Members (16 + 3)14 Accredited CAs
AI ST (J P)
APAC (AU)
ASGC (TW)
CNI C (CN)
I GCA (I N)
I HEP (CN)
KEK (J P)
KI STI (KR)
NAREGI (J P)
NCHC (TW)
NECTEC (TH)
NGO/ Netrust (SG)
PRAGMA-UCSD (US)
HKU (HK)
PlanningThaiGrid (TH)Mongolia
General membershipOsaka U. (J P)U. Hyderabad (I N)USM (MY)
Coverage by RAsPhilippine, Vietnam, Malaysia, I ndonesia, New Zealand and Sri Lanka (soon)
19Scott Rea – [email protected]
TAGPMA
• Covers Grid based operations in North, Central, and South America
• Officers– Chair: Scott Rea
(Dartmouth)– Vice Chair: Roger Impey
(CANARIE)– Secretary: Doug Olson
(OSG)
20Scott Rea – [email protected]
Current TAGPMA Membership
Organization C Representative Type
UNAM MX Ruben Aquino Classic
ULAGrid VE Ale Stolk Classic
UNLP AR Javier Diaz Classic
CANARIE CA Roger Impey Classic
REUNA CL Sandra Jaque Classic
RNP-UFF BR Vinod Rebello Classic
EELA BR Vinod Rebello Classic
TACC US Marg Murray Classic, MICS
DOEGrids US Mike Helm Classic (EU)
NCSA US Jim Basney SLCS x 2, MICS
NERSC US Shreyas Cholia SLCS
FNAL US Irwin Gaines SLCS
OSG US Doug Olson Relying Party
TeraGrid US Jim Marsteller Relying Party
LCG UK Dave Kelsey Relying Party
Dartmouth/HEBCA US Scott Rea Relying Party
THEGrid US Alan Sill Relying Party
UNIANDES CO Andres Hoguin Classic (in-process)
SENAMHI PE Richard Miguel Classic (in-process)
-------------------------- -- ------------------------- ---------------------------------
ANSP BR Sergio Lietti Classic (proposed)
SDSC US Scott Sakai MICS (proposed)
21Scott Rea – [email protected]
Current TAGPMA Membership
• 23 Members from North, Central and South America• Covering Canada, US, Mexico, Venezuela, Chile, Peru Argentina,
Brazil, and Colombia. Two Catchall CAs cover the remaining countries.– 15 IGTF Accredited CAs
• 9 Classic – TACC - US, UFF BrGrid & UFF LACGrid - Brazil, UNLPGrid - Argentina,
REUNA – Chile, ULAGrid – Venezuela, GridCanada, UNAM - Mexico. – NOTE: DOE Grid accredited by EUGridPMA
• 4 SLCS (NCSA x 2, FermiLabs, and NERSC - US)• 2 MICS (NCSA and TACC - US)
– 2 CAs pending accreditation, 2 more proposed & active• 2 Classic pending (SENAMHI – Peru, UNIANDES - Colombia)• 1 Classic proposed (ANSP – Br), 1 MICS proposed (SDSC – US)
– 5 Relying Parties• (OSG, TeraGrid, THEgrid, LCG, Dartmouth/HEBCA)
• Associate Member (due to inactivity)• UVA (Jim Jokl)
22Scott Rea – [email protected]
Communication Infrastructure
• IGTF Website http://www.igtf.net• TAGPMA Website http://www.tagpma.org
– Hosts static, public information– Still undergoing updates
• TAGPMA twiki http(s)://tagpma.es.net/wiki – hosts TAGPMA documents, tutorials etc.
• Mailing list tagpma-general and other IGTF aliases managed by ESnet.– Email any issues direct to the Chair
23Scott Rea – [email protected]
Next TAGPMA F2F Meetings
• 11th TAGPMA F2F planned for Lima, Peru– 1st week, May, 2010
• 12th TAGPMA F2F planned for Lubbock, TX– 3-4 October, 2010
• Bi-weekly video conference calls (Wednesdays) to conduct business in the interim
24Scott Rea – [email protected]
2005 IGTF – the International Grid Trust Federation
common, global best practices for trust establishment better manageability and coordination of the PMAs
The Americas Grid PMA
Asia Pacific Grid PMA
European Grid PMA
25Scott Rea – [email protected]
ProposedInter-federations
FBCA
CA-1CA-2
CA-n
Cross-cert
HEBCADartmouth
Wisconsin
Texas
Univ-N
UVA
USHER
DSTACES
Cross-certs
SAFECertiPath
NIH
CA-1
CA-2 CA-3
CA-4
HE JP
AusCertCAUDIT PKI
CA-1
CA-2 CA-3HE BR
Cross-certs
OtherBridges
IGTF
C-4
26Scott Rea – [email protected]
C-4
High
Medium Hardware CBP
Medium Software CBP
Basic
Rudimentary
High
Medium
Basic
Rudimentary
Foundation
Classic Ca
SLCS
MICS
FPKI
IGTF
HEBCA/USHER
Classic Strong
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
E-AUTH
Mapping Credentials