DataGrid WP 6/CA CA Trust Matrices

DataGrid DataGrid WPWP6/CA6/CA

CA Trust MatricesCA Trust Matrices

Trinity College Dublin (TCD)Trinity College Dublin (TCD)Brian CoghlanBrian Coghlan

Edinburgh JUL-2002

Edinburgh JUL-2002 DataGrid WP6/CA

EU DataGrid ProjectEU DataGrid Project

Research and Academic InstitutesResearch and Academic Institutes•CESNET (Czech Republic)CESNET (Czech Republic)•Commissariat à l'énergie atomiqueCommissariat à l'énergie atomique (CEA) – France (CEA) – France•Computer and Automation Research Institute, Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) Hungarian Academy of Sciences (MTA SZTAKI)•Consiglio Nazionale delle RicercheConsiglio Nazionale delle Ricerche (Italy) (Italy)•Helsinki Institute of Physics – FinlandHelsinki Institute of Physics – Finland•Institut de Fisica d'Altes EnergiesInstitut de Fisica d'Altes Energies (IFAE) - Spain (IFAE) - Spain•Istituto Trentino di Cultura (IRST) – Istituto Trentino di Cultura (IRST) – ItalyItaly•Konrad-Zuse-Zentrum für Informationstechnik BerlinKonrad-Zuse-Zentrum für Informationstechnik Berlin - Germany - Germany•Royal Netherlands Meteorological Institute Royal Netherlands Meteorological Institute (KNMI)(KNMI)•Ruprecht-Karls-Universität HeidelbergRuprecht-Karls-Universität Heidelberg - Germany - Germany•Stichting Academisch RekencentrumStichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands Amsterdam (SARA) – Netherlands•Swedish Research Council - SwedenSwedish Research Council - Sweden

Industrial PartnersIndustrial Partners•Datamat (Italy)Datamat (Italy)•IBM-UK (UK)IBM-UK (UK)•CS-SICS-SI (France) (France)

Main PartnersMain Partners•CERN (Switzerland)CERN (Switzerland)•ESA/ESRIN (Italy)ESA/ESRIN (Italy)•CNRSCNRS (France) (France)

•PPARC (UK)PPARC (UK)•NIKHEF (Nethelands)NIKHEF (Nethelands)•INFN (Italy)INFN (Italy)


EU CrossGrid ProjectEU CrossGrid Project

21 Partners21 Partners• led by Cyfronet (Poland)led by Cyfronet (Poland)

11 Countries11 Countries•PolandPoland•NetherlandsNetherlands•GermanyGermany•SpainSpain•ItalyItaly•PortugalPortugal•GreeceGreece•AustriaAustria•SlovakiaSlovakia•CyprusCyprus•IrelandIreland


DataGridDataGrid:: ssecurityecurity• No single No single wwork ork ppackage (security is ackage (security is everywhere!everywhere!))

• 3 sub-groups: Authentication, Authorisation, & Co-ordination3 sub-groups: Authentication, Authorisation, & Co-ordination• Chaired by Dave Kelsey, RALChaired by Dave Kelsey, RAL

• Now based on Globus GSINow based on Globus GSI• authentication using authentication using PKI (X.509 certificates)PKI (X.509 certificates)• authorization via DataGrid toolsauthorization via DataGrid tools

• Trying noTrying not t to to mix Authentication and Authorisationmix Authentication and Authorisation

• Documents:Documents:• Security Requirements and first implementationSecurity Requirements and first implementation (D7.5) (D7.5)• Security Design and 2Security Design and 2ndnd implementation implementation (Jan 2003) (Jan 2003)


DataGrid: aDataGrid: authenticationuthentication• Grids involve N-way contextsGrids involve N-way contexts

• Thus each party is worried about all the othersThus each party is worried about all the others• Back at the CA, each CA wants to evaluate the other CABack at the CA, each CA wants to evaluate the other CA• EITHEREITHER that they meet the CA’s minimum standard that they meet the CA’s minimum standard• OROR that they meet an agreed common standard that they meet an agreed common standard

• EDG focus is on common standardEDG focus is on common standard

• This results in a Trust MatrixThis results in a Trust Matrix


DataGrid: aDataGrid: authenticationuthentication• involves cinvolves cross-ross-ddomain omain aauthentication between Grid projectsuthentication between Grid projects

• now now 13 approved National Certificate Authorities13 approved National Certificate Authorities• includes Registration Authorities – check identityincludes Registration Authorities – check identity• CNRS (France) acts as “catch-all” CACNRS (France) acts as “catch-all” CA with RA mechanism to suit with RA mechanism to suit

• USA (DOE) USA (DOE) is ais a member of the CA group member of the CA group and trust matrix and trust matrix

• CrossGrid CrossGrid CAs CAs areare currently joining currently joining CA group CA group and trust matrix and trust matrix


Matrix of TrustMatrix of Trust


Matrix of trustMatrix of trust

• How to How to establish the trust ?establish the trust ?• CA Mgrs check each other against agreed list of minimum requirementsCA Mgrs check each other against agreed list of minimum requirements• currently require inspection of each CA’s CPS by each other CAcurrently require inspection of each CA’s CPS by each other CA• ssoftware being developed to aid this processoftware being developed to aid this process

• CP/CPS importantCP/CPS important

• aaudit of CA proceduresudit of CA procedures will help will help• none done yetnone done yet• use use 33rdrd party party ??

• GGF GridCP and CA-Operations WG’sGGF GridCP and CA-Operations WG’s considered considered important important


Matrix of trust

• Scaling problemsScaling problems• hhow many CA’s can we cope withow many CA’s can we cope with [soon [soon ~20 ~20] ?] ?• the process is very manualthe process is very manual• personal contacts are fundamentalpersonal contacts are fundamental

• WANT TO MAKE EVALUATION MORE AUTOMATICWANT TO MAKE EVALUATION MORE AUTOMATIC

• ssoftware being developed to aid this processoftware being developed to aid this process

• based on evaluation of the CA Feature Matrixbased on evaluation of the CA Feature Matrix


DataGrid: CA Feature Matrix


Basic ConceptsBasic Concepts

• Issues:Issues:• postulate:postulate: (condition) (condition) (issue) (issue)• e.g. (BasicConstraints_value ne ‘CA’) e.g. (BasicConstraints_value ne ‘CA’) (major issue) (major issue)

• Grading:Grading:• i.e. assign an issue a i.e. assign an issue a weightweight

• Constraint:Constraint:• issues of a certain class should be constrained to that classissues of a certain class should be constrained to that class• e.g. many minor issues do not make a major issuee.g. many minor issues do not make a major issue

• Aggregation:Aggregation:• aggregate graded issues in a measure of ‘severity’aggregate graded issues in a measure of ‘severity’

• e.g. (severity @ major) = e.g. (severity @ major) = (graded major issues)(graded major issues)limit=1.0limit=1.0


CurrentlyCurrently [JUL-2002] [JUL-2002]

• per class:per class: (severity @ class) = (severity @ class) = (graded class issues)(graded class issues)limit=1.0limit=1.0

• max_severity:max_severity: (severity) for most critical class with issues(severity) for most critical class with issues

• postulate:postulate: acceptance_level = Tacceptance_level = Tacceptanceacceptance – (max_severity) – (max_severity)

• where:where: TTacceptanceacceptance == (worst-case max_severity) == (worst-case max_severity)

• e.g, assume:e.g, assume: T Tacceptanceacceptance = 3.0 = 3.0

• therefore:therefore: max_severity = [0.0 .. 3.0]max_severity = [0.0 .. 3.0]

• and:and: acceptance_level = [3.0 .. 0.0]acceptance_level = [3.0 .. 0.0]

• This is the WORKING BASIS for manual evaluationThis is the WORKING BASIS for manual evaluation


Auto-evaluationAuto-evaluation

• move to extract issues automaticallymove to extract issues automatically

• from what ?from what ?

• initially from Feature Matrixinitially from Feature Matrix

• later from CA certs & CRLs ?later from CA certs & CRLs ?


Extraction from Feature MatrixExtraction from Feature Matrix

• since:since: (condition) (condition) (graded issue) (graded issue)

• then must define condition per feature then must define condition per feature {rules} {rules}

• e.g.:e.g.: (name eq ‘NIL’) (name eq ‘NIL’) (graded issue) (graded issue)

• thus:thus: if (name eq ‘NIL’) (graded issue) == (coefficient @ class)if (name eq ‘NIL’) (graded issue) == (coefficient @ class)

• per class:per class: (severity) == (severity) == (graded issues)(graded issues)limit=1.0limit=1.0

• EDG can define its common rule setEDG can define its common rule set

• each CA could define its own overrides to the rule seteach CA could define its own overrides to the rule set

• ultimately each VO could define its own rule setultimately each VO could define its own rule set


THE ENDTHE END

Acceptance/Feature MatricesAcceptance/Feature Matrices

DataGrid WP 6/CA CA Trust Matrices

Documents

ca group

ca mgrs

ca feature matrixdatagrid

caoperations wgs

graded class issueslimit

value ne ca major issuegrading

trust matrixdatagrid

measure of severity