[Pgi-wg] Genesis II Security - Trust Anchor(s)

Etienne URBAH urbah at lal.in2p3.fr
Tue Sep 21 14:07:07 CDT 2010 

Duane and Andrew,

I have carefully read the document 'Genesis-II Security Implementation' 
at http://forge.gridforum.org/sf/go/doc15435?nav=1

Basic interoperation between different grid infrastructures require to 
establish mutual trust and common processes.

Currently, Security Policies for EGI are proposed by EGI SPG 'Security 
Policy Group' at https://wiki.egi.eu/wiki/SPG
In particular, 'Approval of Certification Authorities' at 
https://documents.egi.eu/public/ShowDocument?docid=83 defines that the 
Trust Anchor is IGTF http://www.igtf.net/

In order to permit basic interoperation between EGI and infrastructures 
using Genesis II, members of EGI SPG need to have precise information on 
Trust Anchor and Security Process used by grid infrastructures using 
Genesis II.

Referring to your above mentioned 'Genesis-II Security Implementation' 
document :

1.1.2  Resource Identity
------------------------
-  The document states 'All Genesis II grid resources are given X.509 
identities' and the 4th entry of a 'typical certificate chain of trust' 
is a 'global Certificate Authority (CA) "trusted" by all grid participants'.
-  Please explain precisely this "trust" process :
    If this process does not use IGTF as unique Trust Anchor, please 
indicate the mandatory (and perhaps optional) Trust Anchor(s) for grid 
infrastructures using Genesis II.

1.1.4  Existing Identities
--------------------------
-  The document states 'Alternatively, users may have identities that 
are managed by directory systems such as NIS/YP, LDAP, etc.  Genesis II 
integrates with these systems to virtualize these identities into the grid'
-  Does Genesis II really create X509 certificates (like an SLCS CA) ?
-  If yes, which Root CA does Genesis II use ?
-  Are you sure that this Root CA will be accepted by the target 
resources inside the grid infrastructures using Genesis II ?
-  If yes, what is the trust mechanism ?


1.1.6  Identity Provider Resources (IDPs)
-----------------------------------------
-  The document states 'New grid identities can be created and managed 
using Genesis II Identity Provider (IDP) resources' implementing 
'WS-Trust Security Token Service (STS)'
-  Same questions as for section 1.1.4

Precise answers to these questions, taking into account real operational 
constraints, would permit EGI SPG to understand the security process 
offered by Genesis II, and perhaps to define a more flexible policy 
about Trust Anchors, permitting real interoperation with grid 
infrastructures using Genesis II.

Thank you in advance for taking the pain of understanding these 
questions and answering to them.

Best regards.

-----------------------------------------------------
Etienne URBAH         LAL, Univ Paris-Sud, IN2P3/CNRS
                       Bat 200   91898 ORSAY    France
Tel: +33 1 64 46 84 87      Skype: etienne.urbah
Mob: +33 6 22 30 53 27      mailto:urbah at lal.in2p3.fr
-----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20100921/8c648934/attachment.bin

More information about the Pgi-wg mailing list