Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07...
17
Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07 [email protected]
-
Upload
bruce-french -
Category
Documents
-
view
217 -
download
0
Transcript of Summary from CA coordination and Security working group meeting WP4 workshop 2001.06.07...
Summary from CA coordination and Security working group
meeting
WP4 workshop 2001.06.07
David Groep – CA and DG security wg – 2001.06.07 - 2
Security related meetings summary
Certification Authorities coordination Organizationally a working group of WP6
Coordinates efforts for certification in various counties
Gives guidance to new CA’s now setting up
Sets minimum standards for trustworthy CA’s
DataGrid Security coordination meeting Interested individuals concerned with security in the DataGrid at
large
Forum for security architecture discussions
Coordination of security efforts within the WP’s
David Groep – CA and DG security wg – 2001.06.07 - 3
Certification Authorities
Currently 8 Certification Authorities: CERN (Pietro Martucci)
INFN (Roberto Cecchini)
DutchGrid/NIKHEF (David Groep)
UKHEP (Andrew Sansum)
CNRS datagrid-fr (Jean-Luc Archimbaud)
LIP (Jorge Gomes)
CESnet (Milan Sova and Daniel Kouril)
Spain is preparing, Russia will start preparing
David Groep – CA and DG security wg – 2001.06.07 - 4
Certification minimal requirements
Minimal requirements for certification authorities defined Non-networked machine
Documented Certification Policy and Practice Statement (CP/CPS)
Traceability of CPS in effect at time of signing (using OID’s)
CRL issuing required, lifetime between 7 and 30 days
Relying parties should retrieve CRL preferably every day
There will be no on-site auditing, we will crosscheck each others CP/CPS
Entities should generate own key pairs (CA must not know!)
Activity on recommending best-practice Grid CP/CPS in GGF(DataGrid has no manpower to get heavily involved)
Drafted a list of recommended cert extensions
David Groep – CA and DG security wg – 2001.06.07 - 5
Certification Authorities in a Fabric
None of the national CAs is prepared to issue host certificatesto all hosts in a farm
OK to apply for gatekeeper certs for LSF masters and such
OK also for test bed 1 hosts with fork job manager
WP4 has already a possible solution: FLIDS
Automatic CRL retrieval, use the GetCerts package from cron soon to be included in WP6 distribution, now from DutchGrid CA sitehttp://certificate.nikhef.nl/
David Groep – CA and DG security wg – 2001.06.07 - 6
Certification Authorities, Administrative
A ca-coordination mailing is being set up by Dave Kelsey
List can be used for incident reporting
See also http://marianne.in2p3.fr/datagrid/ca/ca.html
Detailed notes to be found from http://www.nikhef.nl/~davidg/grid/
DataGrid Security working group
David Groep – CA and DG security wg – 2001.06.07 - 8
DG Security-wg aims
Identify security requirements and deliverables witin the WPs
Implications of security on the DataGrid architecture (urgent)
Identify lacking resources
Self-organisation
Extensive discussions planned for Lecce with Steve Tuecke
David Groep – CA and DG security wg – 2001.06.07 - 9
Security per Work Package (1)
WP1 Will be managing the user’s identities
Jobs will probably run with the identity of the original user
The applications don’t care, as long as: Roles can be assigned to users and Quota can be associated with roles A user can have multiple roles (in different sessions), but only one cert
WP2 Same issue with ownership of replicated files. Not resolved yet.
David Groep – CA and DG security wg – 2001.06.07 - 10
Security per Work Package (2)
WP3 Will start using MDS-2 in PM9
Will have added GSI security, but does not use LDAP access rights
No sub tree or element access control, just grid mapfile
Only just started thinking about security issues for >PM9
WP4 Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS
For grid info services use WP3 framework
“GridGate” should be relabelled “NAT box”
No security comments on install-a-fresh-box use case
David Groep – CA and DG security wg – 2001.06.07 - 11
Security per Work Package (3)
WP5 Will store files by uid/gid Will need a grid mapfile May be different form the one used by ComputeElement YAGM: Yet Another Grid Mapfile
WP7 Interesting: they have three security deliverables and some
committed manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also)
No-one in WP7 cares about security at large Only competent in network-layer security, so work might be done
under ATF umbrella, formally staying in WP7 Once and for all: VPNs are a bad thing. The effort for the VPN test
bed is going into a document to prove VPNs are useless DoS attacks will be the real issue in network security
David Groep – CA and DG security wg – 2001.06.07 - 12
Security per Work Package (4)
WP8,10 (applications) Want less fuss with national CA’s (150 counties in LHC!) sorry! Want single signon: one identity and multiple roles (1 role per session) Autorization by VO, VO decides on quota and groups Requirement common to all applications justify a common solution (CAS)
Applications want to keep local site in control, but Local sites should publish their policies (abstracted) to show they are complying
with the agreed MoUs
Want a good USERS GUIDE
WP10 has a lot of sensitive data, encryption preferred on application level
“anonymous ftp” like areas, but restricted to “any biologist”
David Groep – CA and DG security wg – 2001.06.07 - 13
Policy language
Obvious candidate is the work of the IRTF AAAARCH group
Generic policy language currently an IRTF draft
http://iridal.phys.uu.nl/~aaaarch/doc08/
Or http://www.aaaarch.org/
David Groep – CA and DG security wg – 2001.06.07 - 14
Interaction between CE and SE
Details: ATF (Germán)
Some consensus seems to be Use GridFTP for for remote and local access to a SE
Applications are prepared to refrain from local file system access (not use open(2))
Except for some scratch storage like /tmp
Legacy applications should pre-declare their files
To prevent rouge applications, the binaries may be signed
The receiving end should verify the signature
Users can make no assumptions about a local identity anywhere (gsi-ssh)
David Groep – CA and DG security wg – 2001.06.07 - 15
Firewall issues
Current state on port numbers used is unclear
Especially for return ports and user dynamic ports
Nice to have all future access use predefined static ports,
Providing secure gateways into the local fabric
Like the WP4 proposal
To be able to selective block malicious access
David Groep – CA and DG security wg – 2001.06.07 - 16
User mapping management for PM9
INFN: LDAP directory of users and groupsgenerates a gridmapfile
URL not yet defined
Manchester: gridmapdir patch http://www.hep.grid.ac.uk/gridmapdir/
Possibly included in new Globus release by default
Uid issues: most systems do 4 billion uids, but Linux ≤ 2.2.x only 64K?
David Groep – CA and DG security wg – 2001.06.07 - 17
Future of the security working group
Dave Kelsey will propose a somewhat more formal body to the PTB
Should be driven by 3 named persons, to come from the three sites with committed effort (PPARC, INFN, CNRS)
Lot of others should review documents and/or write a few pages for the architecture
Framework for architecture given by DaveK
Requirements by September/October
Final Security architecture deliverable is in PM12
Detailed notes at http://www.nikhef.nl/~davidg/grid/
