[Pgi-wg] OGF PGI - Security Strawman

Steven Newhouse Steven.Newhouse at cern.ch
Tue Mar 24 04:31:28 CDT 2009 

This high level summary would seem a useful non-normative preamble to
any security document produced by the group.

Splitting it into the current established base and where we propose to
go (addressing Oxana's comments) would give a VERY SHORT CONCISE roadmap
document and illustrate the benefits of this work.

Steven

Dr Steven Newhouse
EGEE Technical Director
http://cern.ch/Steven.Newhouse


> -----Original Message-----
> From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
> Of Oxana Smirnova
> Sent: 24 March 2009 00:10
> To: Etienne Urbah
> Cc: pgi-wg at ogf.org; Vincenzo Ciaschini; edges-na3 at mail.edges-grid.eu;
> lodygens at lal.in2p3.fr
> Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
> 
> Hi,
> 
> most of the statements are accurate; just some corrections inline:
> 
> 
> > 1) Grid Users and Certificate Authorities
> > -----------------------------------------
> > 1.1)  Each grid User is authenticated by a legal body (recognized by
> a
> > government).
> >
> > 1.2)  This legal body uses a Certificate Authority to grant a (long
> > lived) X509 certificate to the grid User.
> >
> > 1.3)  Each Certificate Authority is itself or is authenticated by a
> > self-signed Root Certificate Authority.
> >
> > 1.4)  All such Root Certificate Authorities trust each other and
> > cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management
> > Authorities).
> >
> > 1.5)  These 3 Policy Management Authorities trust each other and
> > cooperate within IGTF.
> >
> > 1.6)  IGTF distributes the list of CA Certificates to be trusted.
> >
> > 1.7)  Each grid Site providing grid Services to grid Users MUST
> install
> > this list of CA Certificates and keep it up to date.
> 
> Not exactly: a Grid site installs those certificates it deems
> necessary.
> In general, there is no requirement to keep them up-to-date, but
> typically it is considered a security update and as such is strongly
> recommended to apply. Some infrastructures issue warnings for sites
> with
> outdated CA certs, but normally it does not impede operations.
> 
> >
> > 1.8)  Using its X509 certificate, each grid User can create at any
> time
> > a (short lived) X509 proxy with permits impersonation / delegation
> > during a short period.
> 
> This period is not necessarily "short": technically, it is limited
only
> by the life time of the original certificate itself.
> 
> >
> >
> > 2)  Virtual Organizations
> > -------------------------
> > 2.1)  A Virtual Organization (VO) groups grid Users with common
> goals. A
> > VO is NOT a legal body, can NOT be a Certificate Authority, and can
> NOT
> > issue X509 certificates.
> 
> A VO may well be associated with a legal body, nothing prevents it. It
> may also be a grouping by e.g. geopolitical principle, not necessarily
> by a common goal. Some VOs are known to run own Certificate
> Authorities,
> though they are not a part of IGTF and are trusted only by the VO
> members and respective resource providers themselves.
> 
> > 2.2)  Inside DEISA, a Virtual Community also groups grid Users with
> > common goals.  The relationships between Virtual Communities and
> Virtual
> > Organizations has to be precised by Morris RIEDEL.
> >
> > 2.3)  Each grid User belongs to 1 ore more VO (Virtual
Organization),
> > which grants him access rights to grid Storage and Computing
> Ressources.
> >
> > 2.4)  Access rights are granted by VOs to grid Users through either
:
> >       2.4.1)  VOMS extensions of X509 proxies (this makes a VOMS
> proxy)
> >       2.4.2)  SAML assertions
> 
> It can also be done by more crude means, like plain text mapping of
> known VO members to local UIDs. Not that it conforms to any standard,
> of
> course, but you'll be surprised to learn how widely it is used. The
> decision is always with the site owner.
> 
> >
> > 3)  Grid Services :  Information, AUTHN, AUTHZ
> > ----------------------------------------------
> > 3.1)  Each grid Infrastucture provides an Information Service, with
> > describes the Infrastructure according the the GLUE2 schema.
> 
> Not true. No Grid deploys Glue2 schema yet (though this is the goal),
> and very few Grids run any information system at all.
> 
> >
> > 3.2)  Each grid User can query this Information Service anonymously
> in
> > order to know which security protocol he has to use to submit
> requests
> > to grid Services.
> 
> Not necessarily true. Existing information systems are anonymously
> accessible all the way through; and what will happen to future systems
> is up to us to decide.
> 
> >
> > 3.3)  Each grid User can directly access data hosted by grid Storage
> > Services.  For Authentication, the grid User can present the public
> part
> > of his X509 certificate or X509 proxy.  For Authorization, the grid
> User
> > can present :
> >       3.3.1)  the public part of his VOMS proxy, or
> >       3.3.2)  a bag of SAML assertions.
> 
> It's a bit more complex: quite commonly, data are accessed not
> directly,
> but via an SRM interface.
> 
> >
> > 3.4)  Each grid User can submit Jobs to grid Computing Services.  If
> > such a Job needs access to data hosted by grid Storage Services,
then
> > the grid User must provide a delegation token.  This delegation
token
> > can be :
> >       3.4.1)  a full VOMS proxy, or
> >       3.4.2)  a bag of SAML assertions.
> >
> >
> > 4)  Consequences for Interoperability
> > -------------------------------------
> > 4.1)  X509 proxies MUST fully comply to RFC 3820.
> >
> > 4.2)  VOMS services, which deliver X509 proxies with VOMS
extensions,
> > MUST fully comply to RFC 3820.
> >
> > 4.3)  The authentication library used by grid Services MUST fully
> comply
> > to RFC 3820 (for example a recent version of OpenSLL), so that it
can
> > accept as well X509 certificates as X509 proxies.
> >
> > 4.4)  Each grid Site providing grid Services to grid Users MUST
> install
> > files describing VOMS authorizations and other authorizations, and
> keep
> > them up to date.
> >
> 
> I do not understand what is meant by that. VOMS is a service; a user
> only needs to know the end-point. It is true however that the sites
> need
> to install VOMS server's public key and keep it up-to-date. This is
> actually the ugliest point, because there is no simple way of locating
> a
> VOMS service key, there is no any repository of such, and VOMS service
> providers themselves often "forget" to advertise the key location. One
> can easily retrieve it via openssl though.
> 
> > 4.5)  The semantics of Authorization tokens MUST be the same for all
> > grid Infrastructures :
> >       4.5.1)  VOMS extensions
> >       4.5.2)  Restriction attributes
> >
> > 4.6)  The Information Service of each grid Infrastructure MUST
> describe,
> > for each grid Service, which Authorization tokens this Service
> > understands (potentially several) :
> >       4.6.1)  VOMS extensions
> >       4.6.2)  X509 restriction attributes
> >       4.6.3)  SAML assertions
> >
> > 4.7)  For SAML assertions, the Information Service of each grid
> > Infrastructure MUST describe, for each grid Service, how they are
> > transported :
> >       4.7.1)  As attributes of X509 proxies
> >       4.7.2)  Inside a SOAP header
> >
> > Unfinished ...
> >
> 
> Cheers,
> Oxana
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg

More information about the Pgi-wg mailing list