Establishing Identity in EGI

www.egi.euEGI-InSPIRE RI-261323

EGI


Establishing Identity in EGI

the authentication trust fabric of the IGTF and EUGridPMA

David Groep, FOM-Nikhef and NL-NGI for EGI global task O-E-15This work is supported by EGI-InSPIRE under NA2


Roles of authentication

EUGridPMA and IGTF – international grid trust federation –

are about authentication, i.e. establishing identity.

Why do you need to establish identity?•Access control to resources and services•Incident management and auditing•Accounting, auditing, &c…

Here we focus on authenticating individuals•natural persons, hosts, services, software agents

2010-11-25 Establishing identity in EGI 2


Access Control Points


Authentication• each person globally unique name• only identification• persons may have more than ID

Authorization• based on the unique AuthN ID• grants or denies access• several control points - VO must be member of community only work within common AUP - site has list of VOs + ban list


Coordinating identity: the trust fabric

• Guaranteed uniqueness, authenticity, compliance with technical requirements for identity needs coordination– these guidelines constitute a (technical) policy– the group responsible for setting and verifying these is thus

a Policy Management Authority (‘PMA’)

• needs to work across many grids (across NGIs, EGI, OSG, LCG, DEISA/PRACE, TeraGrid, ...)– user communities span multiple infrastructures– so the coordination needs to be global as well



The EUGridPMA

The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body

•to establish requirements and best practices for grid identity providers

•to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources.

The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of its charter – the assertions issued by the Accredited Authorities meet or exceed the relevant guidelines.


https://www.eugridpma.org/


EUGridPMA organisation

• Established April 1st 2004 by founding members– national identity authorities from the EU DataGrid and

CrossGrid CA Coordination Group– EGEE, DEISA, SEE-GRID, TERENA as relying parties

• Today 46 members– 5 cross-national relying parties

(EGI,DEISA,OSG,TERENA,wLCG)

– 41 identity authorities (“CAs”)


https://www.eugridpma.org/members/


EUGridPMA Activities

• Establishing Authentication Guidelines– technical policies defining minimum requirements that authorities

must meet or exceed

– matches the level of assurance (LoA) needed for the authorization decisions by the relying parties (resource centres, data owners, ...)

• Reviewing compliance of new authorities with respect to these guidelines

• Periodic peer-reviewed re-assessments

• Provide technical source of ‘trust anchors’ for accredited authorities– categorised by LoA, verification via TERENA TACAR


https://www.eugridpma.org/guidelines/


Global coordination

• International Grid Trust Federation – IGTF

• Three ‘regionals’ EUGridPMA, APGridPMA, TAGPMA

• Strongly coordinated: accrediting to common standards


http://www.igtf.net/


Implementing the Acceptable CAs

• EGI policy on Approved Authoritiesall IGTF Authorities compliant with defined assurance level

• Grid participants in EGI are supposed to install all approved trust anchors– in as far as allowed by site, organisational, national policies

– site, organisational, national policy takes precedence

– report deviations to the EGI Security Officeras per the general Grid Security Policy

• Grid participants may install other trust anchors– e.g. authorities for site or national training purposes

– local authorities or local translators (e.g. SARoNGS)


https://documents.egi.eu/document/83


EGI ‘CA distribution’

• EGI policy supported by technical infrastructure:the ‘ca-policy-egi-core’ package

– provided as a convenience service for sites/NGIs– originated in EUDataGrid/LCG/EGEE as ‘lcg-CA’– collection of trust anchor certificate files & metadata– a re-distribution of the IGTF trust anchors– packaged as RedHat Package Manager (RPM)– provided, for as long as needed by the NGIs,

via support (0.05FTE) by EGI-InSPIRE under SA1– but several sites and NGIs already build their own...



• Both adding trust anchors locally and sub-setting trust anchors is compliant with standing EGI policy today

– when sub-setting: report to security officer, since it leads to unmanaged exceptions in infra operations

– breaks intra- and inter-grid interoperability – so both site and its users have to deal with consequences

• Effect of sub-setting trust anchors may not be what you would expect, due to

– jointness policy requirements for multi-grid affiliates

– constituencies & scopes of identity providers in the IGTF and underlying academic federations

Trust & AuthN implications

1104/22/23 Establishing identity in EGI


• Authentication– basis for granting and denying access by VOs and resource centres– does not grant any access rights in or by itself– allows incident response & auditing of ‘undesired access attempts’

• EUGridPMA and IGTF provide – a global authentication trust fabric across infrastructures, – according to scoped technical security policies,– based on many autonomous authentication authorities

• Standing EGI security policies leverage the IGTF– acknowledges site and national policy primacy– and sub-setting the endorsed set unlikely to have the expected effect

Summary

1204/22/23 Establishing identity in EGI


EGI


Discussion

04/22/23 13

Establishing identity in EGI

Establishing Identity in EGI

Documents

Transcript of Establishing Identity in EGI