Credentials for Global High Performance/Grid Computing Research

Community Scott Rea

iTrust Forum, NIH, Bethesda, MDDec 10, 2009

2Scott Rea – scott.rea@dartmouth.edu

Global Research Community

– The international research community is deploying large scale distributed computing grids on a production scale, across organizations, countries, and even continents, for the advancement of science and engineering etc. E.g.

– The Large Hadron Collider near Geneva– Pittsburgh Supercomputing Center– Lawrence Berkeley National Laboratory– TeraGrid– Open Science Grid– UK eScience Grid– …

– In shaping this common grid infrastructure, many of these grids are relying on common practices, policies and procedures to reliably identify grid subscribers and resources.

– The International Grid Trust Federation was established to address this issue of common identity & authentication practices

3Scott Rea – scott.rea@dartmouth.edu

International Grid Trust Federation

• IGTF founded in Oct, 2005 at GGF 15• IGTF Purpose:

– Manage authentication services for global computational grids via policy and procedures

• IGTF goal: – harmonize and synchronize member PMAs policies to establish

and maintain global trust relationships • IGTF members:

– 3 regional Policy Management Authorities• EUgridPMA• APgridPMA• TAGPMA

• ~100 CAs, 75,000+ credentials

4Scott Rea – scott.rea@dartmouth.edu

IGTF – the International Grid Trust Federation

common, global best practices for trust establishment better manageability and coordination of the PMAs

The Americas Grid PMA

Asia Pacific Grid PMA

European Grid PMA

5Scott Rea – scott.rea@dartmouth.edu

Grid characteristics

Some things that may make current edu-grids a bit ‘special’ compared to other distributed (computing) efforts

• inherently federated (multiple organisations involved)• collaboration of individuals from different organisations

– most of the scientific grid communities today consist of people literally ‘scattered’ over many home organisations … internationally

• delegation – programs and services acting on your behalf – are an integral part of the architecture– unattended operation– resource brokering– integrating compute, data access, databases in the same task

• ... resulted in early design choice for end-user PKI ...

6Scott Rea – scott.rea@dartmouth.edu

Virtual vs. Organic structure

• Virtual communities (“virtual organizations”) are many• An individual will typically be part of many communities

– has different roles in different VOs (distinct from organizational role)

– all at the same time, at the same set of resources– but will require single sign-on across all these communities

graphic: OGSA Architecture 1.0, OGF GFD-I.030

7Scott Rea – scott.rea@dartmouth.edu

Trust relationships• For the VO model to work, parties need a trust relationship

– the alternative: every user needs to register at every resource

– need to provide a ‘sign-on’ for the user that works across VOs

Org. Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

Secure Connection

Org. CertificationAuthority

Sub-Domain B1

Authority

AuthZFederationService

VirtualOrganization

Domain

FederatedCertificationAuthorities

graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance

8Scott Rea – scott.rea@dartmouth.edu

Separating responsibilities• Single Authentication token (“passport”)

– key issue: provide a persistent, trusted identifier– issued by a party trusted by all, – recognised by many resource providers, users, and VOs– satisfy traceability and persistency requirement– in itself does not grant any access, but provides

a unique binding between an identifier and the subject

• Per-VO Authorisations (“visa”)– granted to a person/service via a virtual organisation– based on the identifier

– acknowledged by the resource owners– today largely role-based access control

• but providers can also obtain lists of authorised users per VO,

– can still ban individual users– most of the real liability and responsibility goes here

9Scott Rea – scott.rea@dartmouth.edu

Authentication modelDesign and implementation choices made with the emergence of production-

oriented grids in 2000:urgent need and focus was on providing cross-national trustinitially, in the context of the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects

• National PKI– in general uptake of 1999/93/EC and e-Identification is slow– where available a national PKI could be leveraged

• Various commercial providers– Main commercial drive: secure web servers based on PKI– Entrust, Global Sign, Thawte, Comodo, Verisign, SwissSign, QuoVadis, …– primary market is server authentication, not end-user identities– use of commercial CAs solves the ‘pop-up’ problem

... so for (web) servers a pop-up free service is actually needed!

• Grass-roots CAs– usually project specific, and without any documented policies– unsuitable for the ‘production’ infrastructure envisioned in 2000

10Scott Rea – scott.rea@dartmouth.edu

A Federation Model for Grid Authentication

• A Federation of many independent CAs– Policy coordination based on common minimum requirements

(not ‘policy harmonisation’)– Acceptable for major relying parties in Grid Infrastructures

• No strict hierarchy with a single top– leverage of national efforts and subsidiarity– Allow incorporation of many pre-existing CAs

CA 1CA 2

CA 3

CA ncharter

guidelines

acceptanceprocess

relying party 1

relying party n

11Scott Rea – scott.rea@dartmouth.edu

Building the CA federation

• Providers and Relying Parties together shapedthe common minimum requirements

– Authorities compliant with minimum requirements (profile)– Peer-review process within the federation

to (re) evaluate members on entry & periodically

– Reduce effort on the relying parties• single document to review and assess for all Authorities• collective acceptance of all accredited authorities

– Reduce cost on the authorities• but participation in the federation comes with a price

• … the ultimate decision always remains with the RP

12Scott Rea – scott.rea@dartmouth.edu

‘Reasonable procedure … acceptable methods’

• Defined assurance level based on minimum requirements• CP/CPS for “acceptable and trustworthy” Grid CAs

Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.

Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person

Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:

a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network

minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...H

isto

ry

13Scott Rea – scott.rea@dartmouth.edu

March 2003: The Tokyo Accord

Coordination with similar efforts in the rest of the world• … meet at GGF conferences. …• … work on … Grid Policy Management Authority: GRIDPMA.org• develop Minimum requirements – based on EDG work• develop a Grid Policy Management Authority Charter• [with] representatives from major Grid PMAs:

– European Data Grid and Cross Grid PMA: 16 countries, 19 organizations

– NCSA Alliance– Grid Canada– DOEGrids PMA– NASA Information Power Grid– TERENA– Asian Pacific PMA:

AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, ChinaH

isto

ry

14Scott Rea – scott.rea@dartmouth.edu

2005 IGTF – the International Grid Trust Federation

common, global best practices for trust establishment better manageability and coordination of the PMAs

The Americas Grid PMA

Asia Pacific Grid PMA

European Grid PMA

15Scott Rea – scott.rea@dartmouth.edu

New CAs: the Accreditation Process

Accreditation Guidelines for IGTF PMAsBasic elements:• Codification of procedures in a CP(S) for each CA

– de facto lots of copy/paste, except for vetting sections• Peer-review process for evaluation

– comments welcomed from all PMA members– two assigned referees

• In-person appearance during a review meeting• Accreditation after remaining issues are addressed (by e-mail)Discussions remain important, as not all details are codified!

• Accreditation model for each PMA typically embedded in their charter …

• Periodic re-appearance and re-discussion are needed

16Scott Rea – scott.rea@dartmouth.edu

Geographical coverage of the EUGridPMA

23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR,

UA, SEE-GRID + CA, CERN (int), DoEGrids(US)*

Pending or in progress BY, MD, SY, LV, ZA, SN

17Scott Rea – scott.rea@dartmouth.edu

His

tory

18Scott Rea – scott.rea@dartmouth.edu

Members (16 + 3)14 Accredited CAs

AI ST (J P)

APAC (AU)

ASGC (TW)

CNI C (CN)

I GCA (I N)

I HEP (CN)

KEK (J P)

KI STI (KR)

NAREGI (J P)

NCHC (TW)

NECTEC (TH)

NGO/ Netrust (SG)

PRAGMA-UCSD (US)

HKU (HK)

PlanningThaiGrid (TH)Mongolia

General membershipOsaka U. (J P)U. Hyderabad (I N)USM (MY)

Coverage by RAsPhilippine, Vietnam, Malaysia, I ndonesia, New Zealand and Sri Lanka (soon)

19Scott Rea – scott.rea@dartmouth.edu

TAGPMA

• Covers Grid based operations in North, Central, and South America

• Officers– Chair: Scott Rea

(Dartmouth)– Vice Chair: Roger Impey

(CANARIE)– Secretary: Doug Olson

(OSG)

20Scott Rea – scott.rea@dartmouth.edu

Current TAGPMA Membership

Organization C Representative Type

UNAM MX Ruben Aquino Classic

ULAGrid VE Ale Stolk Classic

UNLP AR Javier Diaz Classic

CANARIE CA Roger Impey Classic

REUNA CL Sandra Jaque Classic

RNP-UFF BR Vinod Rebello Classic

EELA BR Vinod Rebello Classic

TACC US Marg Murray Classic, MICS

DOEGrids US Mike Helm Classic (EU)

NCSA US Jim Basney SLCS x 2, MICS

NERSC US Shreyas Cholia SLCS

FNAL US Irwin Gaines SLCS

OSG US Doug Olson Relying Party

TeraGrid US Jim Marsteller Relying Party

LCG UK Dave Kelsey Relying Party

Dartmouth/HEBCA US Scott Rea Relying Party

THEGrid US Alan Sill Relying Party

UNIANDES CO Andres Hoguin Classic (in-process)

SENAMHI PE Richard Miguel Classic (in-process)

-------------------------- -- ------------------------- ---------------------------------

ANSP BR Sergio Lietti Classic (proposed)

SDSC US Scott Sakai MICS (proposed)

21Scott Rea – scott.rea@dartmouth.edu

Current TAGPMA Membership

• 23 Members from North, Central and South America• Covering Canada, US, Mexico, Venezuela, Chile, Peru Argentina,

Brazil, and Colombia. Two Catchall CAs cover the remaining countries.– 15 IGTF Accredited CAs

• 9 Classic – TACC - US, UFF BrGrid & UFF LACGrid - Brazil, UNLPGrid - Argentina,

REUNA – Chile, ULAGrid – Venezuela, GridCanada, UNAM - Mexico. – NOTE: DOE Grid accredited by EUGridPMA

• 4 SLCS (NCSA x 2, FermiLabs, and NERSC - US)• 2 MICS (NCSA and TACC - US)

– 2 CAs pending accreditation, 2 more proposed & active• 2 Classic pending (SENAMHI – Peru, UNIANDES - Colombia)• 1 Classic proposed (ANSP – Br), 1 MICS proposed (SDSC – US)

– 5 Relying Parties• (OSG, TeraGrid, THEgrid, LCG, Dartmouth/HEBCA)

• Associate Member (due to inactivity)• UVA (Jim Jokl)

22Scott Rea – scott.rea@dartmouth.edu

Communication Infrastructure

• IGTF Website http://www.igtf.net• TAGPMA Website http://www.tagpma.org

– Hosts static, public information– Still undergoing updates

• TAGPMA twiki http(s)://tagpma.es.net/wiki – hosts TAGPMA documents, tutorials etc.

• Mailing list tagpma-general and other IGTF aliases managed by ESnet.– Email any issues direct to the Chair

(Scott.Rea@Dartmouth.EDU)

23Scott Rea – scott.rea@dartmouth.edu

Next TAGPMA F2F Meetings

• 11th TAGPMA F2F planned for Lima, Peru– 1st week, May, 2010

• 12th TAGPMA F2F planned for Lubbock, TX– 3-4 October, 2010

• Bi-weekly video conference calls (Wednesdays) to conduct business in the interim

24Scott Rea – scott.rea@dartmouth.edu

2005 IGTF – the International Grid Trust Federation

common, global best practices for trust establishment better manageability and coordination of the PMAs

The Americas Grid PMA

Asia Pacific Grid PMA

European Grid PMA

25Scott Rea – scott.rea@dartmouth.edu

ProposedInter-federations

FBCA

CA-1CA-2

CA-n

Cross-cert

HEBCADartmouth

Wisconsin

Texas

Univ-N

UVA

USHER

DSTACES

Cross-certs

SAFECertiPath

NIH

CA-1

CA-2 CA-3

CA-4

HE JP

AusCertCAUDIT PKI

CA-1

CA-2 CA-3HE BR

Cross-certs

OtherBridges

IGTF

C-4

26Scott Rea – scott.rea@dartmouth.edu

C-4

High

Medium Hardware CBP

Medium Software CBP

Basic

Rudimentary

High

Medium

Basic

Rudimentary

Foundation

Classic Ca

SLCS

MICS

FPKI

IGTF

HEBCA/USHER

Classic Strong

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

E-AUTH

Mapping Credentials

27Scott Rea – scott.rea@dartmouth.edu

• Questions?

• Thanks