[gin] [Pgi-wg] Genesis II Security - Trust Anchor(s)
Etienne URBAH
urbah at lal.in2p3.fr
Thu Oct 7 20:04:27 CDT 2010
Alan, Duane and Andrew,
Concerning Cloud / Grid Security,
Lot of thanks to Alan SILL for the link
http://indico.rnp.br/conferenceDisplay.py?confId=85 to the Symposium on
Authentication Technologies held at Texas Tech University on 04 October
2010.
I have read the presentations, and I hope to have understood most of them.
In particular, I have been most interested by the 2 following
presentations :
- InCommon
http://indico.rnp.br/getFile.py/access?contribId=4&sessionId=2&resId=0&materialId=slides&confId=85
- CILogon
http://indico.rnp.br/getFile.py/access?contribId=1&sessionId=2&resId=0&materialId=slides&confId=85
As far as I understand :
- The trust anchors are :
- InCommon for SSL and personal certificates
- IGTF for X509 certificates
- Shibboleth permits to convert the campus identity of an user into
standard SAML assertions,
- InCommon permits to convert these SAML assertions into an InCommon
Silver-grade certificate, which is directly accepted across all InCommon
participants,
- CILogon (probably as MICS) permits to convert an InCommon
Silver-grade certificate to an X.509 certificate, which will be accepted
by all Grid infrastructures trusting IGTF when CILogon will obtain
accreditation by TAGPMA.
Can Alan confirm ?
If fully implemented, the above security setup would immediately provide
realistic answers to the questions which I asked inside the mail below
to the Genesis II team of University of Virginia.
Can the Genesis II team confirm ?
Thank you in advance for your answers.
Best regards.
-----------------------------------------------------
Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS
Bat 200 91898 ORSAY France
Tel: +33 1 64 46 84 87 Skype: etienne.urbah
Mob: +33 6 22 30 53 27 mailto:urbah at lal.in2p3.fr
-----------------------------------------------------
On Tue, 21/09/2010 21:07, Etienne URBAH wrote:
> Duane and Andrew,
>
> I have carefully read the document 'Genesis-II Security Implementation'
> at http://forge.gridforum.org/sf/go/doc15435?nav=1
>
> Basic interoperation between different grid infrastructures require to
> establish mutual trust and common processes.
>
> Currently, Security Policies for EGI are proposed by EGI SPG 'Security
> Policy Group' at https://wiki.egi.eu/wiki/SPG
> In particular, 'Approval of Certification Authorities' at
> https://documents.egi.eu/public/ShowDocument?docid=83 defines that the
> Trust Anchor is IGTF http://www.igtf.net/
>
> In order to permit basic interoperation between EGI and infrastructures
> using Genesis II, members of EGI SPG need to have precise information on
> Trust Anchor and Security Process used by grid infrastructures using
> Genesis II.
>
> Referring to your above mentioned 'Genesis-II Security Implementation'
> document :
>
> 1.1.2 Resource Identity
> ------------------------
> - The document states 'All Genesis II grid resources are given X.509
> identities' and the 4th entry of a 'typical certificate chain of trust'
> is a 'global Certificate Authority (CA) "trusted" by all grid
> participants'.
> - Please explain precisely this "trust" process :
> If this process does not use IGTF as unique Trust Anchor, please
> indicate the mandatory (and perhaps optional) Trust Anchor(s) for grid
> infrastructures using Genesis II.
>
> 1.1.4 Existing Identities
> --------------------------
> - The document states 'Alternatively, users may have identities that are
> managed by directory systems such as NIS/YP, LDAP, etc. Genesis II
> integrates with these systems to virtualize these identities into the grid'
> - Does Genesis II really create X509 certificates (like an SLCS CA) ?
> - If yes, which Root CA does Genesis II use ?
> - Are you sure that this Root CA will be accepted by the target
> resources inside the grid infrastructures using Genesis II ?
> - If yes, what is the trust mechanism ?
>
>
> 1.1.6 Identity Provider Resources (IDPs)
> -----------------------------------------
> - The document states 'New grid identities can be created and managed
> using Genesis II Identity Provider (IDP) resources' implementing
> 'WS-Trust Security Token Service (STS)'
> - Same questions as for section 1.1.4
>
> Precise answers to these questions, taking into account real operational
> constraints, would permit EGI SPG to understand the security process
> offered by Genesis II, and perhaps to define a more flexible policy
> about Trust Anchors, permitting real interoperation with grid
> infrastructures using Genesis II.
>
> Thank you in advance for taking the pain of understanding these
> questions and answering to them.
>
> Best regards.
>
> -----------------------------------------------------
> Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS
> Bat 200 91898 ORSAY France
> Tel: +33 1 64 46 84 87 Skype: etienne.urbah
> Mob: +33 6 22 30 53 27 mailto:urbah at lal.in2p3.fr
> -----------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/gin/attachments/20101008/24ac1c5e/attachment.bin
More information about the gin
mailing list