[gin] [Pgi-wg] Genesis II Security - Trust Anchor(s)

Etienne URBAH urbah at lal.in2p3.fr
Thu Oct 7 20:04:27 CDT 2010 

Alan, Duane and Andrew,

Concerning Cloud / Grid Security,

Lot of thanks to Alan SILL for the link 
http://indico.rnp.br/conferenceDisplay.py?confId=85 to the Symposium on 
Authentication Technologies held at Texas Tech University on 04 October 
2010.

I have read the presentations, and I hope to have understood most of them.

In particular, I have been most interested by the 2 following 
presentations :

-  InCommon 
http://indico.rnp.br/getFile.py/access?contribId=4&sessionId=2&resId=0&materialId=slides&confId=85

-  CILogon 
http://indico.rnp.br/getFile.py/access?contribId=1&sessionId=2&resId=0&materialId=slides&confId=85


As far as I understand :

-  The trust anchors are :
    - InCommon for SSL and personal certificates
    - IGTF for X509 certificates

-  Shibboleth permits to convert the campus identity of an user into 
standard SAML assertions,

-  InCommon permits to convert these SAML assertions into an InCommon 
Silver-grade certificate, which is directly accepted across all InCommon 
participants,

-  CILogon (probably as MICS) permits to convert an InCommon 
Silver-grade certificate to an X.509 certificate, which will be accepted 
by all Grid infrastructures trusting IGTF when CILogon will obtain 
accreditation by TAGPMA.

Can Alan confirm ?


If fully implemented, the above security setup would immediately provide 
realistic answers to the questions which I asked inside the mail below 
to the Genesis II team of University of Virginia.

Can the Genesis II team confirm ?


Thank you in advance for your answers.

Best regards.

-----------------------------------------------------
Etienne URBAH         LAL, Univ Paris-Sud, IN2P3/CNRS
                       Bat 200   91898 ORSAY    France
Tel: +33 1 64 46 84 87      Skype: etienne.urbah
Mob: +33 6 22 30 53 27      mailto:urbah at lal.in2p3.fr
-----------------------------------------------------


On Tue, 21/09/2010 21:07, Etienne URBAH wrote:
> Duane and Andrew,
>
> I have carefully read the document 'Genesis-II Security Implementation'
> at http://forge.gridforum.org/sf/go/doc15435?nav=1
>
> Basic interoperation between different grid infrastructures require to
> establish mutual trust and common processes.
>
> Currently, Security Policies for EGI are proposed by EGI SPG 'Security
> Policy Group' at https://wiki.egi.eu/wiki/SPG
> In particular, 'Approval of Certification Authorities' at
> https://documents.egi.eu/public/ShowDocument?docid=83 defines that the
> Trust Anchor is IGTF http://www.igtf.net/
>
> In order to permit basic interoperation between EGI and infrastructures
> using Genesis II, members of EGI SPG need to have precise information on
> Trust Anchor and Security Process used by grid infrastructures using
> Genesis II.
>
> Referring to your above mentioned 'Genesis-II Security Implementation'
> document :
>
> 1.1.2 Resource Identity
> ------------------------
> - The document states 'All Genesis II grid resources are given X.509
> identities' and the 4th entry of a 'typical certificate chain of trust'
> is a 'global Certificate Authority (CA) "trusted" by all grid
> participants'.
> - Please explain precisely this "trust" process :
> If this process does not use IGTF as unique Trust Anchor, please
> indicate the mandatory (and perhaps optional) Trust Anchor(s) for grid
> infrastructures using Genesis II.
>
> 1.1.4 Existing Identities
> --------------------------
> - The document states 'Alternatively, users may have identities that are
> managed by directory systems such as NIS/YP, LDAP, etc. Genesis II
> integrates with these systems to virtualize these identities into the grid'
> - Does Genesis II really create X509 certificates (like an SLCS CA) ?
> - If yes, which Root CA does Genesis II use ?
> - Are you sure that this Root CA will be accepted by the target
> resources inside the grid infrastructures using Genesis II ?
> - If yes, what is the trust mechanism ?
>
>
> 1.1.6 Identity Provider Resources (IDPs)
> -----------------------------------------
> - The document states 'New grid identities can be created and managed
> using Genesis II Identity Provider (IDP) resources' implementing
> 'WS-Trust Security Token Service (STS)'
> - Same questions as for section 1.1.4
>
> Precise answers to these questions, taking into account real operational
> constraints, would permit EGI SPG to understand the security process
> offered by Genesis II, and perhaps to define a more flexible policy
> about Trust Anchors, permitting real interoperation with grid
> infrastructures using Genesis II.
>
> Thank you in advance for taking the pain of understanding these
> questions and answering to them.
>
> Best regards.
>
> -----------------------------------------------------
> Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS
> Bat 200 91898 ORSAY France
> Tel: +33 1 64 46 84 87 Skype: etienne.urbah
> Mob: +33 6 22 30 53 27 mailto:urbah at lal.in2p3.fr
> -----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/gin/attachments/20101008/24ac1c5e/attachment.bin

More information about the gin mailing list