2009/3/24 David Wallom <david.wallom@oerc.ox.ac.uk>:

Looking through this though I would assert that the limitations to just long lived X509 seems not in keeping with for example the ongoing discussions about trusting Shibboleth generated certs etc??

That's how I read it at first but Etienne's writeup (if that's what you're referring to) is restricted to proxies. Clearly(?) a SLC is a PKC as well.

I have just been speaking to the security person from our NREN who specifically mentioned that Shib tokens across national boundaries is becoming essential and will be subject to an IGTF type body pretty soon.

They are currently recommending using self signed certificates for the SPs as trust anchors. I hear slightly different messages from within the NREN in question but they are indicating that SAML assertions are "moving to" being signed by such trust anchors. I think I referred to it in an earlier mail to PGI-WG. --jens

Steven and all, Thank you for all your comments. I tried to take them all into account. The new version is attached here as 'PGI-Security-Model.txt', and also available at http://forge.gridforum.org/sf/go/doc15584?nav=1 Best regards. ---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ---------------------------------- On Tue, 24 Mar 2009, Steven Newhouse wrote:

This high level summary would seem a useful non-normative preamble to any security document produced by the group.

Splitting it into the current established base and where we propose to go (addressing Oxana's comments) would give a VERY SHORT CONCISE roadmap document and illustrate the benefits of this work.

Steven

Dr Steven Newhouse EGEE Technical Director http://cern.ch/Steven.Newhouse

OGF PGI - Security Model ======================== Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures. 1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government). 1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User. 1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority. 1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities). 1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF. 1.6) IGTF distributes the list of CA Certificates to be trusted. 1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations. 1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period. 2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT. 2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. The relationships between Virtual Communities and Virtual Organizations have to be explained by Morris RIEDEL. 2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources. 2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) 2.4.2) SAML assertions 3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema. 3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services. 3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his VOMS proxy, or 3.3.2) a bag of SAML assertions. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies. 3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) a full VOMS proxy, or 3.4.2) a bag of SAML assertions. Morris RIEDEL has to explain if and how delegation of SAML assertions work. 3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of known VO members to local UIDs. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG). Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures. 4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible. 5) Interoperability between X509 certificates and X509 proxies for Authentication ---------------------------------------------------------------------------------- 5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement. 5.2) X509 proxies MUST fully comply to RFC 3820. 5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820. 5.4) The authentication library used by grid Services MUST fully comply to RFC 3820 (for example a recent version of OpenSLL), so that it can accept as well X509 certificates as X509 proxies. 6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------ 6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema. 6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema. 7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures : 7.1.1) VOMS extensions 7.1.2) Restriction attributes 7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several) : 7.2.1) X509 VOMS extensions 7.2.2) X509 restriction attributes 7.2.3) SAML assertions 7.3) For SAML assertions, the Information Service of each grid Infrastructure MUST describe, for each grid Service, the transport method that the grid Service expects (potentially several) : 7.3.1) As attributes of X509 proxies 7.3.2) Inside a SOAP header 7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service describing VOMS authorizations, other authorizations, and mapping of known VO members to local UIDs. 7.5) Each grid Service MUST accept at least : 7.5.1) One of the Authorization Tokens described at chapter 7.2 7.5.2) One of the transport methods described at chapter 7.3 (only if the grid Service accepts SAML assertions) 7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth. 7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept ALL types of Authorization Tokens described at chapter 7.2 If it accepts SAML assertions, it SHOULD accept that they are transported inside SOAP headers. 7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service). To be thoroughly criticized ...

Duane, Thank you for your comments. Please find the original text and my answers inline. Beyond that : 7.9) Semantics and syntax of VOMS extensions and Restriction attributes ----------------------------------------------------------------------- I would like to describe (for example in new section 7.9) the semantics and syntax of a RESTRICTED list of VOMS extensions and Restriction attributes that all grid clients MAY use and that all grid services MUST understand. Does anybody have links to such lists ? - For VOMS extension, the example below gives : VO, subject, issuer, attribute, timeleft, uri - For other attributes, here is something springing out from my imagination, with semantics and syntax (please criticize) : - Assertion of identity : ID:<FQAN> - Assertion of belonging to a group : GROUP:<FQAN> - Authorization to access a resource : ALLOW:<URI> - Interdiction to access a resource : DENY:<URI> - Authorization to read a file (or a folder, recursively : ALLOW_R:<URI> - Authorization to write into a file (or a folder, recursively : ALLOW_W:<URI> - Authorization to read and write into a file (or a folder, recursively : ALLOW_RW:<URI> Note that GLUE 2.0 recommends that the URI should be an URN. Best regards. ---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ---------------------------------- On Duane Merrill wrote:

Looks like a good foundation. A couple of comments/suggestions:

...

7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures : 7.1.1) VOMS extensions 7.1.2) Restriction attributes This section discusses the necessity for shared-semantics amongst authorization token formats. Instead of "VOMS extensions", which is unclear what that means, I think you mean "FQAN-equivalent semantics for describing VO groups/roles."

VOMS extensions of X509 proxies are NOT a simple FQAN. See following example, extracted from ' voms-proxy-info -all' on a gLite UI : === VO vo.lal.in2p3.fr extension information === VO : vo.lal.in2p3.fr subject : /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Etienne Urbah issuer : /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr attribute : /vo.lal.in2p3.fr/Role=NULL/Capability=NULL timeleft : 11:59:50 uri : grid12.lal.in2p3.fr:20000 I agree that we have to describe the full list of VOMS extensions with their meaning and syntax (or provide a link to the relevant VOMS specification).

...

7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several) : 7.2.1) X509 VOMS extensions 7.2.2) X509 restriction attributes 7.2.3) SAML assertions If we have the semantic equivalences described in (7.1), then the incoming message-processing stack of a PGI-compliant service endpoint should be able process all three types of client-credentialing mechanisms equivalently:

o Clients supply SAML attributes authenticated by End-Entity Certificates at the SOAP level (/Idealized Unicore/) o Clients supply SAML attributes authenticated by Proxy-Certificates at the SOAP level (/Idealized Genesis II/) o Clients supply VOMS-style Attribute Certificates authenticated by (and embedded within) Proxy Certificates at the SSL/TLS level (/Idealized gLite/ARC/Naregi/)

By the time message-processing reaches a policy-decision module, the service has distilled an authenticated set of distinguished names, FQAN groups/roles, and restriction policies that look the same, independent of how they were supplied. By mandating a "receiver-makes-right" strategy (section 7.7), you obviate the complexity of sections (7.3) and (7.5). Such reduced complexity affords us a quicker incremental roadmap in which clients can remain largely unchanged, while additional infrastructure complexity is only initially needed at those service endpoints intended for advertisement within multiple infrastructures.

You can obviate the complexity of sections 7.3 and 7.5 only if section 7.7 is mandatory (with a 'MUST' wording), which means you force every middleware to implement immediately the 3 types of Authorization tokens. In fact, you can NOT force that. This is the reason why I used the 'SHOULD' wording in section 7.7, and this forces the Information System to provide the list of Authorization tokens and transport methods really accepted by each grid Service.

...

7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service describing VOMS authorizations, other authorizations, and mapping of known VO members to local UIDs. Be careful with your language: do not mandate the management of authz/authn information not relevant to inter-grid interaction. (E.g., Genesis II does not make use of local-UID mappings).

You are right, I will replace the reference to local-UID mappings by something more general.

The document is missing a brief consensus on SOAP-over-HTTPS communication that mandates a specific variant of SSL/TLS (i.e., anything that implements RFC-2246, The TLS Protocol Version 1.0, which excludes GSI-OpenSSH.)

I do NOT have enough knowledge about WS, SOAP and RFC-2246 to write something sensible. Can you write it yourself ?

-Duane

These "VOMS extensions" you keep referring to are actually X.509 Attribute Certificates that are well-defined in an IETF RFC and refined by the OGSA-Authz VOMS doc. You should call them "VOMS-style ACs" (since they can be constructed by an authn authority other than an actual VOMS server.). Section 7.1.1 needs to be about defining a shared semantics between attribute documents (specifically VOMS-style ACs and a new PGI definition of equivalent SAML attribute assertions), which is something that the strawman doc already does in gory detail. (Although it needs an updating to reflect the proper authentication of SAML attribute assertions by Proxy Certificates -- the idealized Genesis II credentialing mechanism.) Duane On 3/25/09, Vincenzo Ciaschini <vincenzo.ciaschini@cnaf.infn.it> wrote:

Etienne URBAH wrote:

...

Duane,

Thank you for your comments. Please find the original text and my answers inline.

Beyond that :

7.9) Semantics and syntax of VOMS extensions and Restriction attributes ----------------------------------------------------------------------- I would like to describe (for example in new section 7.9) the semantics and syntax of a RESTRICTED list of VOMS extensions and Restriction attributes that all grid clients MAY use and that all grid services MUST understand.

Does anybody have links to such lists ?

- For VOMS extension, the example below gives : VO, subject, issuer, attribute, timeleft, uri Just for clarity: attribute is indeed a list of attributes. There may be more than one.

Also, information from more than one VO may be present.

...

- For other attributes, here is something springing out from my imagination, with semantics and syntax (please criticize) : - Assertion of identity : ID:<FQAN> - Assertion of belonging to a group : GROUP:<FQAN> - Authorization to access a resource : ALLOW:<URI> - Interdiction to access a resource : DENY:<URI> - Authorization to read a file (or a folder, recursively : ALLOW_R:<URI> - Authorization to write into a file (or a folder, recursively : ALLOW_W:<URI> - Authorization to read and write into a file (or a folder, recursively : ALLOW_RW:<URI> Note that GLUE 2.0 recommends that the URI should be an URN.

...

I agree that we have to describe the full list of VOMS extensions with their meaning and syntax (or provide a link to the relevant VOMS specification).

How about this? https://forge.gridforum.org/sf/go/doc13797 (also referenced in the strawman doc)

If it is unclear, I'd love to receive comments.

Ciao, Vincenzo

...

You can obviate the complexity of sections 7.3 and 7.5 only if section 7.7 is mandatory (with a 'MUST' wording), which means you force every middleware to implement immediately the 3 types of Authorization tokens.

In fact, you can NOT force that. This is the reason why I used the 'SHOULD' wording in section 7.7, and this forces the Information System to provide the list of Authorization tokens and transport methods really accepted by each grid Service.

...

I *strongly* disagree; PGI does need to force that. The goal is not to demand that *all* middleware endpoints be *fully* interoperable; just those that are advertised outside of that infrastructure. And if a particular endpoint is PGI-compliant, there is no reason it shouldn't be able to accept the two major credentialing mechanisms (SAML, AC), particularly since we're defining them to be equivalent. What you propose does NOT foster interoperability: - If a client wishes to call a remote service, it must somehow translate its credentials into that service's desired format. This is what must be done at present time, and it's *not* interoperable. - Some types of credential-translation are simply not possible (e.g., converting a proxy-cert into an EEC), so whole classes of clients will be unable to use whole classes of services, which is *not* interoperable. We should avoid enabling this situation (because it's what we have at present time, so nothing is gained). It's not that hard to support both credential mechanisms in the message-processing stack. In fact, it's harder to do what you propose: build the logic to detect service-type, perform token exchange, failover if service-type is unsupported, etc., into clients. And you gain virtually NOTHING for the effort. The quickest route to interop is one in which - Inter-grid clients adhere to one (or more) of two profiles: SAML & AC (the idealized-Unicore is a sub-instance of idealized-Genesis II) - Inter-grid services support both, since we've defined the two client profiles to be semantically equivalent. -Duane

So, what you're saying is that it is, for all intents and purposes, infeasible for the CREAM BES to support an attribute authorization scheme other than VOMS-style-ACs-inside-EECs/PCs. This leads me to draw the following conclusion: *Don't bother advertising CREAM BESs as inter-middleware services*. Unicore/GenesisII/etc. infrastructures don't have the means for clients to obtain PCs or EECs that have VOMS-style ACs signed within them, so in all reality your CREAM BESs will never be used by those middlewares anyway. If you need to share your resource across middleware domains, stand up a BES that can support *both* types of credentialing mechanisms instead. The issue holding the client back is that they have a signed SAML assertion that cannot be traded for a signed VOMS-style AC without the involvment of a hypothetical third-party attribute authority. The implementation work necessary for such infrastructure would be just as substantial (if not more so) than the modifications necessary for CREAM, and would become obsolete as we move towards the "eventual goal". Now, if your CREAM BES could support PGI-SAML embedded within PCs, it would be trivial for the client to create a proxy certificate for itself with the SAML attribute embedded within...... -Duane On Thu, Mar 26, 2009 at 9:24 AM, Moreno Marzolla <moreno.marzolla@pd.infn.it

wrote:

Duane Merrill wrote:

...

...

You can obviate the complexity of sections 7.3 and 7.5 only if section 7.7 is mandatory (with a 'MUST' wording), which means you force every middleware to implement immediately the 3 types of Authorization tokens.

In fact, you can NOT force that. This is the reason why I used the 'SHOULD' wording in section 7.7, and this forces the Information System to provide the list of Authorization tokens and transport methods really accepted by each grid Service.

I *strongly* disagree; PGI does need to force that. The goal is not to demand that *all* middleware endpoints be *fully* interoperable; just those that are advertised outside of that infrastructure. And if a particular endpoint is PGI-compliant, there is no reason it shouldn't be able to accept the two major credentialing mechanisms (SAML, AC), particularly since we're defining them to be equivalent.

While I agree that a single security model should be the ultimate goal (for all the reasons you already stated), I see technical problems in having it implemented in all infrastructures, at least in the medium term. That was the reason why the initial work within PGI was focused on having a small set (ideally, two) of security profiles and having the clients sustain the burden of supporting both and deciding which one to use--which seems reasonable as it is the client responsibility to acquire the appropriate credentials. Just to describe one of the technical problema I am alluding at, in CREAM we use an external component called gLExec to perform Grid user ID -> Unix user ID mappings. At the moment, gLExec supports X509 (proxy) certificates with VOMS extensions only, and there is no way (apart from rewriting a significant part of it) to make it support anything else. While gLite is going to migrate to a new authorization framework, it is still (very early) work in progress. And to make things worse, CREAM is unable to bypass gLExec easily: gLExec is called once by CREAM, and once by BLAH, which is a batch system abstraction layer which provides a single interface to multiple batch systems (and thus is used by CREAM to support LSF/PBS/SGE/...). Neither gLExec nor BLAH are under our (=CREAM developers) control, and modifying CREAM to get rid of them when submitting jobs through a PGI compliant interface is a nontrivial work which requires some significant effort.

I understand that these are gLite-specific, low level details, but maybe other middlewares have similar issues. I also understand that the software and the infrastructures are going to evolve anyway, but in some situations evolution happens quite slowly.

In my opinion, having e.g. two well defined PGI security profiles, such that existing infrastructures can easily support at least one of them would be better than the current situation in which everybody implements something different. It would be a compromise, of course, and the ideal long term solution would be to converge to a single profile, but I'm unsure whether aiming right now at this long term solution would be a good idea.

Moreno.

-- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it Phone: +39 049 8277103 WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233

Hi Duane, BES was proposed as a standard interface for job submission. Our initial aim was to understand how/if we could adopt this interface in our infrastructures. Obviously this interface alone will not make the infrastructure fully interoperable but it would be a step in the right direction. One of the constraints that we have is that our infrastructure is based around VOMS-style-ACs and this will not change this in the short term. I would imagine any other infrastructures using a different AAA scheme would have a similar problem. Adopting the BES interface should not require people to change the AAA scheme that they used in their infrastructure. What we require is a method of using BES with VOMS-style-ACs. We may end up with multiple specification that explain how BES is used with different AAA schemes. This would highlight the real situation and we have different "Grid Islands" which can't interoperability due to the different AAA schemes used. If interoperability between these islands is required we need to address the AAA issue but that should not affect our adoption of BES. Laurence Duane Merrill wrote:

So, what you're saying is that it is, for all intents and purposes, infeasible for the CREAM BES to support an attribute authorization scheme other than VOMS-style-ACs-inside-EECs/PCs. This leads me to draw the following conclusion:

/Don't bother advertising CREAM BESs as inter-middleware services/. Unicore/GenesisII/etc. infrastructures don't have the means for clients to obtain PCs or EECs that have VOMS-style ACs signed within them, so in all reality your CREAM BESs will never be used by those middlewares anyway. If you need to share your resource across middleware domains, stand up a BES that can support /both/ types of credentialing mechanisms instead.

The issue holding the client back is that they have a signed SAML assertion that cannot be traded for a signed VOMS-style AC without the involvment of a hypothetical third-party attribute authority. The implementation work necessary for such infrastructure would be just as substantial (if not more so) than the modifications necessary for CREAM, and would become obsolete as we move towards the "eventual goal".

Now, if your CREAM BES could support PGI-SAML embedded within PCs, it would be trivial for the client to create a proxy certificate for itself with the SAML attribute embedded within......

-Duane

On Thu, Mar 26, 2009 at 9:24 AM, Moreno Marzolla <moreno.marzolla@pd.infn.it <mailto:moreno.marzolla@pd.infn.it>> wrote:

Duane Merrill wrote:

You can obviate the complexity of sections 7.3 and 7.5 only if section 7.7 is mandatory (with a 'MUST' wording), which means you force every middleware to implement immediately the 3 types of Authorization tokens.

In fact, you can NOT force that. This is the reason why I used the 'SHOULD' wording in section 7.7, and this forces the Information System to provide the list of Authorization tokens and transport methods really accepted by each grid Service.

I *strongly* disagree; PGI does need to force that. The goal is not to demand that *all* middleware endpoints be *fully* interoperable; just those that are advertised outside of that infrastructure. And if a particular endpoint is PGI-compliant, there is no reason it shouldn't be able to accept the two major credentialing mechanisms (SAML, AC), particularly since we're defining them to be equivalent.

While I agree that a single security model should be the ultimate goal (for all the reasons you already stated), I see technical problems in having it implemented in all infrastructures, at least in the medium term. That was the reason why the initial work within PGI was focused on having a small set (ideally, two) of security profiles and having the clients sustain the burden of supporting both and deciding which one to use--which seems reasonable as it is the client responsibility to acquire the appropriate credentials. Just to describe one of the technical problema I am alluding at, in CREAM we use an external component called gLExec to perform Grid user ID -> Unix user ID mappings. At the moment, gLExec supports X509 (proxy) certificates with VOMS extensions only, and there is no way (apart from rewriting a significant part of it) to make it support anything else. While gLite is going to migrate to a new authorization framework, it is still (very early) work in progress. And to make things worse, CREAM is unable to bypass gLExec easily: gLExec is called once by CREAM, and once by BLAH, which is a batch system abstraction layer which provides a single interface to multiple batch systems (and thus is used by CREAM to support LSF/PBS/SGE/...). Neither gLExec nor BLAH are under our (=CREAM developers) control, and modifying CREAM to get rid of them when submitting jobs through a PGI compliant interface is a nontrivial work which requires some significant effort.

I understand that these are gLite-specific, low level details, but maybe other middlewares have similar issues. I also understand that the software and the infrastructures are going to evolve anyway, but in some situations evolution happens quite slowly.

In my opinion, having e.g. two well defined PGI security profiles, such that existing infrastructures can easily support at least one of them would be better than the current situation in which everybody implements something different. It would be a compromise, of course, and the ideal long term solution would be to converge to a single profile, but I'm unsure whether aiming right now at this long term solution would be a good idea.

Moreno.

-- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it <mailto:moreno.marzolla@pd.infn.it> Phone: +39 049 8277103 WWW : http://www.dsi.unive.it/~marzolla <http://www.dsi.unive.it/%7Emarzolla> Fax : +39 049 8756233

------------------------------------------------------------------------

_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg

Forgive me for pushing my logic to the extreme; I do realize that ARC/gLite/Naregi are similar enough that they could be congealed to constitute a "grid island" with some degree of effort. My point is that the working group is still faced with a crisis of identity: it is not about "production grid interoperability", but rather about "A-type interoperability", "B-type interoperability", "C-type interoperability" where {A, B, C, etc.} is the set of credentialing schemes that, depending on the effort we are willing to invest, may number as many as there are different middleware implementations (no effort), or as few as one integrated scheme. The operative phrase being "the amount of effort we are willing to invest". Perhaps we should survey *that*. -Duane

Duane Merrill wrote:

Forgive me for pushing my logic to the extreme; I do realize that ARC/gLite/Naregi are similar enough that they could be congealed to constitute a "grid island" with some degree of effort. [...] The operative phrase being "the amount of effort we are willing to invest". Perhaps we should survey *that*.

This "all-or-nothing" attitude was precisely what I was trying to avoid when I (and others like me) initially thought about having a small set of different security profiles. There are simply things which we (and others) can't change overnight, as we work on middlewares whose development is constrained in different ways. There's not much that we can do to change these constraints in the sort term. Sure, we could develope a new (e.g.) CREAM-BES service which is completely unrelated with the legacy CREAM, so that we can get rid of every legacy component and implement whatever security mechanism we agree on. Whether we have the resources to do that is a question I'm not entitled to answer, but my guess is that we don't (again, things may change in the future). So, achieving full interoperability between ARC/glite/naregi would be a success for me. Knowing that, by only getting rid of VOMS proxies and using SAML assertions we could get full interoperability with UNICORE and other similar middlewares is equally a success. Having to build adapters to translate (if possible) credentials in different formats is a compromise which is more reasonable than having to wait for all the middlewares of the world to move towards a common security infrastructure. Maybe this will happen, but I don't know whether I will stil be around by then. Moreno. -- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it Phone: +39 049 8277103 WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233

To All, I agree with Moreno MARZOLLA : Achieving full interoperability between ARC/glite/naregi would be a success. Taking into account information of Vincenzo CIASCHINI and some comments of Duane MERRIL, I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1 OGF PGI - Security Model ======================== Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures. 1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government). 1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User. 1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority. 1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities). 1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF. 1.6) IGTF distributes the list of CA Certificates to be trusted. 1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations. 1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period. 2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT. 2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. The relationships between Virtual Communities and Virtual Organizations have to be explained by Morris RIEDEL. 2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources. 2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) 2.4.2) SAML assertions 3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema. 3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services. 3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his VOMS proxy, or 3.3.2) a bag of SAML assertions. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies. 3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) a full VOMS proxy, or 3.4.2) a bag of SAML assertions. Morris RIEDEL has to explain if and how delegation of SAML assertions work. 3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of known VO members to local UIDs. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG). Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures. 4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible. 5) Interoperability between X509 certificates and X509 proxies for Authentication ---------------------------------------------------------------------------------- 5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement. 5.2) X509 proxies MUST fully comply to RFC 3820. 5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820. 5.4) The authentication library used by grid Services MUST fully comply to RFC 3820 (for example a recent version of OpenSLL), so that it can accept as well X509 certificates as X509 proxies. 6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------ 6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema. 6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema. 7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures. Examples of Authorization tokens are : 7.1.1) VOMS-style Attribute Certificates 7.1.2) Restriction attributes 7.1.3) Shibboleth 7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several) : 7.2.1) X509 VOMS-style Attribute Certificates They are defined in 'VOMS Attribute Certificate Format' at http://forge.gridforum.org/sf/go/doc13797?nav=1 7.2.2) X509 restriction attributes 7.2.3) SAML assertions 7.3) The Information Service of each grid Infrastructure MUST describe, for each grid Service accepting SAML assertions, the transport method that the grid Service expects (potentially several) : 7.3.1) As attributes of X509 proxies 7.3.2) Inside a SOAP header 7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service enforcing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. 7.5) Each grid Service MUST accept at least : 7.5.1) One of the Authorization Tokens described at chapter 7.2 7.5.2) One of the transport methods described at chapter 7.3 (only if the grid Service accepts SAML assertions) 7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth. 7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept ALL types of Authorization Tokens described at chapter 7.2 If it accepts SAML assertions, it SHOULD accept that they are transported inside SOAP headers. 7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service). 7.9) There should be a brief consensus on SOAP-over-HTTPS communication that mandates a specific variant of SSL/TLS (i.e., anything that implements RFC-2246, The TLS Protocol Version 1.0, which excludes GSI-OpenSSH.) TO BE DONE. To be thoroughly criticized ... Best regards. ---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ---------------------------------- On Thu, 26 Mar 2009, Duane Merrill wrote:

So, achieving full interoperability between ARC/glite/naregi would be a success for me.

Now /that/ is a good mission-statement / identity for a Working Group. It's clear, concise, and demonstrates exactly the amount of effort that is willing to be invested. -Duane

To All, In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible. So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1 OGF PGI - Security Model ======================== Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures. 1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government). 1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User. 1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority. 1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities). 1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF. 1.6) IGTF distributes the list of CA Certificates to be trusted. 1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations. 1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period. 2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT. 2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. {{{The relationships between Virtual Communities and Virtual Organizations have to be explained by Morris RIEDEL}}} 2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources. 2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) 2.4.2) SAML assertions 3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema. 3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services. 3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his X509 certificate, or 3.3.2) the public part of his X509 proxy (without VOMS extensions), or 3.3.3) the public part of his VOMS proxy, or 3.3.4) a bag of SAML assertions. In order to handle X509 proxies, both the OpenSSL and GSI implementations of TLS are widely used, but they are INCOMPATIBLE. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies. 3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) an X509 proxy, or 3.4.2) a VOMS proxy, or 3.4.3) a bag of SAML assertions. {{{Morris RIEDEL has to explain if and how delegation of SAML assertions work}}} 3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG). Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures. 4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible. 5) Interoperability between X509 certificates and X509 proxies for Authentication ---------------------------------------------------------------------------------- 5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement. 5.2) X509 proxies MUST fully comply either to RFC 3820 or to GSI. 5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply either to RFC 3820 or to GSI. 5.4) The authentication library used by grid Services MUST fully comply either to RFC 3820 or to GSI. 6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------ 6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema. 6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema. 7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures. Examples of Authorization tokens are : 7.1.1) DN of the X509 certificate or proxy 7.1.2) VOMS-style Attribute Certificates 7.1.3) Restriction attributes 7.1.4) Shibboleth 7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several). 7.3) The Information Service of each grid Infrastructure MUST describe the transport method that the grid Service expects (potentially several). In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible. 7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service enforcing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. 7.5) Each grid Service MUST accept at least : 7.5.1) One of the following Authorization Tokens : - DN of the X509 certificate or proxy - X509 VOMS-style Attribute Certificates (VOMS extensions) They are defined in 'VOMS Attribute Certificate Format' at http://forge.gridforum.org/sf/go/doc13797?nav=1 - X509 restriction attributes {{{Please give the reference of a description document}}} - SAML assertions {{{Please give the reference of a description document}}} 7.5.2) One of the following transport methods : - OpenSSL (compliant to RFC 3820) for attributes of X509 proxies - GSI for attributes of X509 proxies - SOAP header for SAML assertions 7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth. 7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept following types of Authorization Tokens : 7.7.1) X509 VOMS-style Attribute Certificates (VOMS extensions) 7.7.2) X509 restriction attributes. In the 2 previous cases, the grid Service SHOULD accept that they are transported through OpenSSL (compliant to RFC 3820). Transport through GSI is explicitly DEPRECATED. 7.7.3) SAML assertions. In that case, the grid Service SHOULD accept that they are transported inside SOAP headers. 7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service). To be thoroughly criticized ... Best regards. ---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

Just one clarification: Due to compatibility issues with previous versions of glite, voms-proxy-init by default creates GT2 proxies. to make it create X509 proxies, the --rfc option is needed. Ciao, Vincenzo Etienne URBAH wrote:

To All,

About X509 proxies, I just got confirmation from Vincenzo CIASCHINI that :

1) OpenSSL and GSI are really incompatible as transport layers.

2) But they now accept exactly the same X509 proxies compliant to RFC 3820.

3) Old-style GSI X509 proxies are obsolete, and their usage should be forbidden

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

OGF PGI - Security Model ========================

Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures.

1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government).

1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User.

1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority.

1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities).

1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF.

1.6) IGTF distributes the list of CA Certificates to be trusted.

1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations.

1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period.

2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT.

2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. {{{The relationships between Virtual Communities and Virtual Organizations have to be explained by Morris RIEDEL}}}

2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources.

2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) 2.4.2) SAML assertions

3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema.

3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services.

3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his X509 certificate, or 3.3.2) the public part of his X509 proxy (without VOMS extensions), or 3.3.3) the public part of his VOMS proxy, or 3.3.4) a bag of SAML assertions. In order to handle X509 proxies, both the OpenSSL and GSI implementations of TLS are widely used and accept exactly the same X509 proxies compliant to RFC 3820, but they are INCOMPATIBLE as transport layers. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies.

3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) an X509 proxy, or 3.4.2) a VOMS proxy, or 3.4.3) a bag of SAML assertions. {{{Morris RIEDEL has to explain if and how delegation of SAML assertions work}}}

3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG).

Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures.

4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible.

5) Interoperability between X509 certificates and X509 proxies for Authentication ----------------------------------------------------------------------------------

5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement.

5.2) X509 proxies MUST fully comply to RFC 3820.

5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820.

5.4) The authentication library used by grid Services MUST fully comply either to RFC 3820 or to GSI.

6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------

6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema.

6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema.

7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures. Examples of Authorization tokens are : 7.1.1) DN of the X509 certificate or proxy 7.1.2) VOMS-style Attribute Certificates 7.1.3) Restriction attributes 7.1.4) Shibboleth

7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several).

7.3) The Information Service of each grid Infrastructure MUST describe the transport method that the grid Service expects (potentially several). In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible.

7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service enforcing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials.

7.5) Each grid Service MUST accept at least : 7.5.1) One of the following Authorization Tokens : - DN of the X509 certificate or proxy - X509 VOMS-style Attribute Certificates (VOMS extensions) They are defined in 'VOMS Attribute Certificate Format' at http://forge.gridforum.org/sf/go/doc13797?nav=1 - X509 restriction attributes {{{Please give the reference of a description document}}} - SAML assertions {{{Please give the reference of a description document}}} 7.5.2) One of the following transport methods : - OpenSSL (compliant to RFC 3820) for attributes of X509 proxies - GSI for attributes of X509 proxies - SOAP header for SAML assertions

7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth.

7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept following types of Authorization Tokens : 7.7.1) X509 VOMS-style Attribute Certificates (VOMS extensions) 7.7.2) X509 restriction attributes. In the 2 previous cases, the grid Service SHOULD accept that they are transported through OpenSSL (compliant to RFC 3820). Transport through GSI is explicitly DEPRECATED. 7.7.3) SAML assertions. In that case, the grid Service SHOULD accept that they are transported inside SOAP headers.

7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service).

To be thoroughly criticized ...

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

On Fri, 27 Mar 2009m Etienne URBAH wrote:

...

To All,

In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible.

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

------------------------------------------------------------------------

_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg

On Friday 03 April 2009 01:00, Etienne URBAH wrote:

Vincenzo and All,

My preceding mail about X509 proxies contained a FALSE assertion.

In fact :

- OpenSSL accepts only RFC-3820-compliant X509 proxies,

- GSI accepts only GSI-style X509 proxies.

GSI as implemented by Globus since version 4.0 (approximately) supports both pre-RFC proxies (versions 2 and 3 also known as Globus proxies) and RFC proxies (as defined in RFC 3820).

Following assertions still have to be verified :

- VOMS servers only accept GSI-style X509 proxies See http://forge.gridforum.org/sf/go/doc15591?nav=1

- Delegation of X509 proxies can be performed only by GSI.

X.509 proxy delegation at so called transport level can be performed using so called GSI connection. X.509 proxy delegation at transport level can NOT be performed if using SSL/TLS connection. In last case X.509 proxy delegation can be performed at higher level protocol. A.K.

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

OGF PGI - Security Model ========================

Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures.

1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government).

1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User.

1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority.

1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities).

1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF.

1.6) IGTF distributes the list of CA Certificates to be trusted.

1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations.

1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period.

1.9) Regrettably, there are 2 widely used INCOMPATIBLE types of X509 proxies : 1.9.1) RFC-3820-compliant X509 proxies can only be used by RFC-3820-compliant software, such as OpenSSL, 1.9.2) GSI-style X509 proxies can only be used with the GSI middleware, which permits further delegation.

2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT. Each Virtual Organization can independently define Groups and Roles.

2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. It should be possible to map each Virtual Community to a Group of a Virtual Organization.

2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources.

2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) VOMS servers only accept GSI-style X509 proxies {{{TO BE VERIFIED}}} 2.4.2) SAML assertions

3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema.

3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services.

3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his X509 certificate, or 3.3.2) the public part of his RFC-3820-compliant X509 proxy (without VOMS extensions), or 3.3.3) the public part of his GSI-Style X509 proxy (without VOMS extensions), or 3.3.4) the public part of his VOMS proxy, or 3.3.5) a bag of SAML assertions. In order to handle X509 proxies : - The OpenSSL implementation of TLS accepts only RFC-3820-compliant X509 proxies, - The GSI implementation of TLS accepts only GSI-style X509 proxies. So these 2 implementations of TLS are totally INCOMPATIBLE. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies.

3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) an X509 proxy, or 3.4.2) a VOMS proxy, or 3.4.3) a bag of SAML assertions.

3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG).

Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures.

4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible.

5) Interoperability between X509 certificates and X509 proxies for Authentication ---------------------------------------------------------------------------------- 5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement.

5.2) X509 proxies MUST fully comply either to RFC 3820 or to GSI.

5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820 or GSI, and MAY accept both.

5.4) The authentication library used by grid Services MUST fully comply to RFC 3820 or GSI, and MAY accept both.

6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------ 6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema.

6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema.

7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures. Examples of Authorization tokens are : 7.1.1) DN of the X509 certificate or proxy 7.1.2) VOMS-style Attribute Certificates 7.1.3) Restriction attributes 7.1.4) Shibboleth

7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several). GSI-style X509 proxies are DEPRECATED in favor of RFC-3820-compliant X509 proxies. Each provider of grid middleware MUST establish and publish the list of the components which still require GSI-style X509 proxies.

7.3) The Information Service of each grid Infrastructure MUST describe the transport method that the grid Service expects (potentially several). The GSI implementation of TLS is DEPRECATED in favor of RFC-3820-compliant TLS, such as OpenSSL. Each provider of grid middleware MUST establish and publish the list of the components which still require the GSI implementation of TLS.

7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service enforcing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials.

7.5) Each grid Service MUST accept at least : 7.5.1) One of the following Authorization Tokens : - DN of the X509 certificate or RFC-3820-compliant X509 proxy - DN of the GSI-syle X509 proxy - X509 VOMS-style Attribute Certificates (VOMS extensions) They are defined in 'VOMS Attribute Certificate Format' at http://forge.gridforum.org/sf/go/doc13797?nav=1 - X509 restriction attributes {{{Please give the reference of a description document}}} - SAML assertions (Attention: there are differences between SAML V1.1 and SAML V2.0)

http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAM...

7.5.2) One of the following transport methods : - OpenSSL for X509 certificates and RFC-3820-compliant X509 proxies - GSI for GSI-style X509 proxies - SOAP header for SAML assertions

7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth.

7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept following types of Authorization Tokens : 7.7.1) DN of the X509 certificate or RFC-3820-compliant X509 proxy (transport by OpenSSL) 7.7.2) X509 VOMS-style Attribute Certificates (transport by GSI) 7.7.3) X509 restriction attributes (transport by OpenSSL) 7.7.4) SAML assertions (transport inside SOAP headers).

7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service).

To be thoroughly criticized ...

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

On Mon, 30 Mar 2009, Vincenzo Ciaschini wrote:

...

Just one clarification: Due to compatibility issues with previous versions of glite, voms-proxy-init by default creates GT2 proxies. to make it create X509 proxies, the --rfc option is needed.

Ciao, Vincenzo

Etienne URBAH wrote:

...

To All,

About X509 proxies, I just got confirmation from Vincenzo CIASCHINI that :

1) OpenSSL and GSI are really incompatible as transport layers.

2) But they now accept exactly the same X509 proxies compliant to RFC 3820.

3) Old-style GSI X509 proxies are obsolete, and their usage should be forbidden

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

On Fri, 27 Mar 2009m Etienne URBAH wrote:

...

To All,

In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible.

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

Aleksandr, Duane and All, Concerning the PGI Security Model : Lot of thanks to Aleksandr and Duane for their explanations about different types of proxies, versions of GSI, and delegation. I know understand that : - NEW versions of GSI (since version 4.0 approximately) accept both RFC-3820-compliant X509 proxies and Globus proxies. - Delegation of any security token can be performed at higher level, for example by the 'GridSite Delegation' service. Important is that old versions of GSI, which do NOT accept RFC-3820-compliant X509 proxies, block interoperability, and are then STRONGLY DEPRECATED. Therefore, each provider of grid middleware using such an old version of GSI : - MUST establish and publish the list of the components which still uses it, - SHOULD migrate to a new version of GSI which also accepts RFC-3820-compliant X509 proxies. Still to be verified is that VOMS servers only accept GSI-style X509 proxies http://forge.gridforum.org/sf/go/doc15591?nav=1 Anyway, I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1 OGF PGI - Security Model ======================== Current Established Base ======================== Chapters 1, 2 and 3 below describe the current security model of Computing Grid Infrastructures. 1) Grid Users and Certificate Authorities ----------------------------------------- 1.1) Each grid User is authenticated by a legal body (recognized by a government). 1.2) This legal body uses a Certificate Authority to grant a (long lived) X509 certificate to the grid User. 1.3) Each Certificate Authority is itself or is authenticated by a self-signed Root Certificate Authority. 1.4) All such Root Certificate Authorities trust each other and cooperate within APGridPMA, EUGridPMA or TAGPMA (Policy Management Authorities). 1.5) These 3 Policy Management Authorities trust each other and cooperate within IGTF. 1.6) IGTF distributes the list of CA Certificates to be trusted. 1.7) Each grid Site providing grid Services to grid Users installs the CA Certificates it deems necessary. In general, there is no requirement to keep them up-to-date, but typically it is considered a security update and as such is strongly recommended to apply. Some infrastructures issue warnings for sites with outdated CA certs, but normally it does not impede operations. 1.8) Using its X509 certificate, each grid User can create at any time a (usually short lived) X509 proxy with permits impersonation / delegation during a (usually short) period. 1.9) Regrettably, there are 2 widely used INCOMPATIBLE types of X509 proxies : 1.9.1) RFC-3820-compliant X509 proxies can only be used by RFC-3820-compliant software, such as OpenSSL, or NEW versions of the GSI middleware (since version 4.0 approximately) 1.9.2) Globus proxies can only be used with the GSI middleware, which permits direct delegation. 2) Virtual Organizations ------------------------- 2.1) A Virtual Organization (VO) groups grid Users (usually with common goals). A Virtual Organization may be a legal body, and may be a Certificate Authority which can issue X509 certificates, but most are NOT. Each Virtual Organization can independently define Groups and Roles. 2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. It should be possible to map each Virtual Community to a Group of a Virtual Organization. 2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources. 2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy) Currently, VOMS servers only accept Globus proxies {{{TO BE VERIFIED}}} 2.4.2) SAML assertions 3) Grid Services : Information, AUTHN, AUTHZ ---------------------------------------------- 3.1) Some grid Infrastructures provide an Information Service with describes the Infrastructure, for example according to the 'GLUE 1.3' schema. 3.2) If this Information Service exists, then each grid User can query it in order to discover the list, requirements and capabilities of grid Services. 3.3) Each grid User can directly access data hosted by grid Storage Services. For Authentication, the grid User can present the public part of his X509 certificate or X509 proxy. For Authorization, the grid User has to present either (depending on the Infrastructure) : 3.3.1) the public part of his X509 certificate, or 3.3.2) the public part of his RFC-3820-compliant X509 proxy (without VOMS extensions), or 3.3.3) the public part of his Globus proxy (without VOMS extensions), or 3.3.4) the public part of his VOMS proxy, or 3.3.5) a bag of SAML assertions. In order to handle X509 proxies : - The OpenSSL implementation of TLS accepts only RFC-3820-compliant X509 proxies, - Old GSI implementations of TLS accepts only Globus proxies. So the 2 previous implementations of TLS are totally INCOMPATIBLE. - New GSI implementations of TLS (since version 4.0 approximately) accepts both RFC-3820-compliant X509 proxies and Globus proxies. If the grid User accesses data through a interface requiring delegation, then the next subchapter applies. 3.4) Each grid User can submit Jobs to grid Computing Services. If such a Job needs access to data hosted by grid Storage Services, then the grid User must provide a delegation token. This delegation token is either (depending on the Infrastructure) : 3.4.1) an X509 proxy, or 3.4.2) a VOMS proxy, or 3.4.3) a bag of SAML assertions. Delegation can be performed : - Directly by GSI, but only with Globus proxies, - At a higher level, for example by the 'GridSite Delegation' service described at http://www.gridsite.org/wiki/Delegation_protocol 3.5) Each grid Site providing grid Services to grid Users has installed Authorization Files (such as 'gridmap' files) describing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. Grid Sites try to keep those Authorization Files up to date. There is a trend to replace these static 'gridmap' files by a robust Authorization Service (SCAS by EGEE, GUMS by OSG). Where we propose to go ====================== Chapters 4, 5, 6 and 7 below describe a security model for short term Interoperability between Computing Grid Infrastructures. 4) Operational Robustness of Security -------------------------------------- 4.1) The number of Certificate Authorities for grid Infrastructures SHOULD be kept as low as possible. 5) Interoperability between X509 certificates and X509 proxies for Authentication ---------------------------------------------------------------------------------- 5.1) For this short term Security Profile aimed at short term Interoperability, we accept Shibboleth as an option, but knowingly exclude Shibboleth from any requirement. 5.2) X509 proxies MUST fully comply either to RFC 3820 or to GSI. 5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820 or GSI, and MAY accept both. 5.4) The authentication library used by grid Services MUST fully comply to RFC 3820 or GSI, and MAY accept both. Old versions of GSI, which do NOT accept RFC-3820-compliant X509 proxies, block interoperability, and are STRONGLY DEPRECATED. Therefore, each provider of grid middleware using such an old version of GSI : - MUST establish and publish the list of the components which still uses it, - SHOULD migrate to a new version of GSI which also accepts RFC-3820-compliant X509 proxies. 6) Information Service describing the Infrastructure according the the GLUE2 schema ------------------------------------------------------------------------------------ 6.1) Each grid Infrastructure MUST provide an Information Service, which describes the Infrastructure according the the GLUE2 schema. 6.2) If access to the Information Service is restricted, the grid Infrastructure MUST provide a Bootstrap Information Service, with describes the security requirements for access to the full Information Service according the the GLUE2 schema. 7) Interoperable Grid Services : Information, AUTHN, AUTHZ ------------------------------------------------------------ 7.1) The semantics of Authorization tokens MUST be the same for all grid Infrastructures. Examples of Authorization tokens are : 7.1.1) DN of the X509 certificate or proxy 7.1.2) VOMS-style Attribute Certificates 7.1.3) Restriction attributes 7.1.4) Shibboleth 7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several). Globus proxies are DEPRECATED in favor of RFC-3820-compliant X509 proxies. Each provider of grid middleware MUST establish and publish the list of the components which still require Globus proxies. 7.3) The Information Service of each grid Infrastructure MUST describe the transport method that the grid Service expects (potentially several). We repeat here what we have written in chapter 5.4 : Old versions of GSI, which do NOT accept RFC-3820-compliant X509 proxies, block interoperability, and are STRONGLY DEPRECATED. Therefore, each provider of grid middleware using such an old version of GSI : - MUST establish and publish the list of the components which still uses it, - SHOULD migrate to a new version of GSI which also accepts RFC-3820-compliant X509 proxies. 7.4) Each grid Site providing grid Services to grid Users MUST install and keep up to date a robust Authorization Service enforcing VOMS authorizations, other authorizations, and mapping of grid credentials to local credentials. 7.5) Each grid Service MUST accept at least : 7.5.1) One of the following Authorization Tokens : - DN of the X509 certificate or RFC-3820-compliant X509 proxy - DN of the GSI-syle X509 proxy - X509 VOMS-style Attribute Certificates (VOMS extensions) They are defined in 'VOMS Attribute Certificate Format' at http://forge.gridforum.org/sf/go/doc13797?nav=1 - X509 restriction attributes {{{Please give the reference of a description document}}} - SAML assertions (Attention: there are differences between SAML V1.1 and SAML V2.0) http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAM... 7.5.2) One of the following transport methods : - OpenSSL (or new GSI) for X509 certificates and RFC-3820-compliant X509 proxies, - GSI for Globus proxies (migration to new GSI is STRONGLY RECOMMENDED), - SOAP header for SAML assertions. 7.6) As long as it satisfies subchapter 7.5, each grid Service MAY also accept Authentication and Authorization methods based on Shibboleth. 7.7) In order to ease the development and deployment of grid Clients, each grid Service SHOULD accept following types of Authorization Tokens : 7.7.1) DN of the X509 certificate or RFC-3820-compliant X509 proxy (transport by OpenSSL) 7.7.2) X509 VOMS-style Attribute Certificates (transport by GSI) 7.7.3) X509 restriction attributes (transport by OpenSSL) 7.7.4) SAML assertions (transport inside SOAP headers). 7.8) In order to keep middleware complexity and bandwidth usage as low as possible, grid Services should NOT send their full description of their security interface inside each message, but only when specifically requested (for example by the Information Service). To be thoroughly criticized ... Best regards. ---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ---------------------------------- On Mon, 6 Apr 2009, Duane Merrill wrote:

Yes, that is in line with my understanding as well. Although, I don't believe there is anything preventing the higher-level application layer delegation of "GSI-style" proxies as well. I mean, if we're going to go to the effort for RFC proxies.....

Duane

On 4/5/09, Aleksandr Konstantinov <aleksandr.konstantinov@fys.uio.no> wrote:

...

On Friday 03 April 2009 01:00, Etienne URBAH wrote:

...

Vincenzo and All,

My preceding mail about X509 proxies contained a FALSE assertion.

In fact :

- OpenSSL accepts only RFC-3820-compliant X509 proxies,

- GSI accepts only GSI-style X509 proxies. GSI as implemented by Globus since version 4.0 (approximately) supports both pre-RFC proxies (versions 2 and 3 also known as Globus proxies) and RFC proxies (as defined in RFC 3820).

...

Following assertions still have to be verified :

- VOMS servers only accept GSI-style X509 proxies See http://forge.gridforum.org/sf/go/doc15591?nav=1

- Delegation of X509 proxies can be performed only by GSI.

X.509 proxy delegation at so called transport level can be performed using so called GSI connection. X.509 proxy delegation at transport level can NOT be performed if using SSL/TLS connection. In last case X.509 proxy delegation can be performed at higher level protocol.

A.K.

...

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

On Mon, 30 Mar 2009, Vincenzo Ciaschini wrote:

...

Just one clarification: Due to compatibility issues with previous versions of glite, voms-proxy-init by default creates GT2 proxies. to make it create X509 proxies, the --rfc option is needed.

Ciao, Vincenzo

Etienne URBAH wrote:

...

To All,

About X509 proxies, I just got confirmation from Vincenzo CIASCHINI that :

1) OpenSSL and GSI are really incompatible as transport layers.

2) But they now accept exactly the same X509 proxies compliant to RFC 3820.

3) Old-style GSI X509 proxies are obsolete, and their usage should be forbidden

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

On Fri, 27 Mar 2009m Etienne URBAH wrote:

...

To All,

In order to handle X509 proxies, we regrettably have to take into account both the OpenSSL and GSI implementations of TLS, which are incompatible.

So I have updated my 'PGI Security Model' below and at http://forge.gridforum.org/sf/go/doc15584?nav=1

Best regards.

---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------

Hi PGI team, looking at the latest conversations I see a demand to discuss how we can actually profile/specify the security plumbings basically agreed from the group so far (maybe aligned with information plumbings describing the security setup). Unfortunately, there will be no telcon on Friday this week due to eastern holidays, but next week as usual. However, we should start a discussion how we can specify the three plumbings for authN and two plumbings for authZ we agreed on so far. Addressing the comment from Steven around specifying the GSI elements: pro # MWSG means we could specify it although its not a real standard # A xyz PGI profile would support our production legacy systems contra # we have a PGI profile that includes already elements that are deprecated (GSI et al.) - plan was to just remove these plumbings over time... # it's harder to standardize instead of focusing on RFC elements However, from the most recent work in PGI I got the strong feeling that we have to stick to the three authN plumbings and two authZ plumbings - maybe people still disagree here, but I got a response from Alex Sim (SRM collaboration) mentioning that GSI is still all over the place and non-GSI versions (i.e. 3.0) will maybe deployed in the next 3-4 years... so out of scope of our work. The question arises how we specify these plumbings exactly. (1) Approach 1 (like WS-RF that consists of n specifications) # PGI data/job/security (our first document from the charter) ## PGI - AuthN - GSI ## PGI - AuthN - RFCProxy ## PGI - AuthN - EE ## PGI - AuthZ - SAML ## PGI - AuthZ - AC ## PGI - Data - ... Each of it would be a specification element part of the overall PGI standard. Adopters refer to it as specifying a server being PGI-AUTHN - RFCProxy Compliant, etc. (2) Approach 2 (similar like Duane's approach) We define everthing in one specification and combine our elements with # MANDATORY to support at least one of... # MANDATORY to support ...or / and # etc. Here adopters refer to Tags like PGI_COMM_XYZ within the PGI specification to indicate whether a system supports proxies or not. Any other approach I missed? Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)

------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Steven Newhouse -Sent: Wednesday, April 08, 2009 8:02 AM -To: Etienne Urbah; aleksandr.konstantinov@fys.uio.no; Duane MERRIL; pgi- -wg@ogf.org -Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr -Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC- -3820-compliant X509 proxies - -Etienne raises a valid point... - -> Important is that old versions of GSI, which do NOT accept RFC-3820- -> compliant X509 proxies, block interoperability, and are then STRONGLY -> DEPRECATED. - -These are still being used and supported (to provide legacy -compatibility) but alongside support for the newer X509 proxy system. - -> Therefore, each provider of grid middleware using such an old version -> of GSI : -> - MUST establish and publish the list of the components which still -> uses it, -> - SHOULD migrate to a new version of GSI which also accepts RFC-3820- -> compliant X509 proxies. - -This group has no right to mandate what middleware providers should or -should not do! But if no provider is JUST using old versions of GSI and -intend to migrate away from them I see no point in trying to define a -profile around something that has no clear specification (just the GT -implementation) and everyone intends to remove in the future. - -Surely its better to focus our energies on defining a profile around the -new style proxies that groups intend to support going forward? - -Steven - -_______________________________________________ -Pgi-wg mailing list -Pgi-wg@ogf.org -http://www.ogf.org/mailman/listinfo/pgi-wg

Hi Etienne, I am not easy at all with purely operational requirements being presented as a PGI recommendation. We define what is a standard profile, and it is up to m/w providers and VOs to decide whether they should conform to it or no. I am also sure that PGI is not in a position to define procedures and policies - only best practices, at most. Specifically:

2.2) Inside DEISA, a Virtual Community also groups grid Users with common goals. It should be possible to map each Virtual Community to a Group of a Virtual Organization.

Why should it be possible at all? I suppose you meant to say that a Virtual Community is similar to a VO, or for all practical reasons can be characterized as a VO, but I don't think it should be necessary to perform any mapping!

2.3) Each grid User belongs to 1 or more VO (Virtual Organization), which grants him access rights to grid Storage and Computing Resources.

... and many other services - why single out these two? There are information services, file transfer services, accounting services, monitoring services, data indexing services and even collaborative documentation development and agenda services - my VO membership grants me access to such services already today.

2.4) Access rights are granted by VOs to grid Users through either : 2.4.1) VOMS extensions of X509 proxies (this makes a VOMS proxy). Currently, inside EGEE : - VOMS servers with version older than 2.0 only accept

This has nothing to do with EGEE; old VOMS servers are used by many other projects.

Globus proxies. The 'vomses' configuration file theoretically contains information about this version, so that the 'voms-proxy-init' command adapts the proxy format when needed, but many VOs distribute an incorrect 'vomses' file.

There's certainly nothing "theoretical" with the configuration file: it is well documented, and it is up to every user to fix it, because it actually resides in his/her home directory and can be easily fixed (or messed up, for that matter) without intervention of VO managers. This paragraph has nothing to do with a standard definition. We are not going to write down configuration instructions for every single tool here, are we?

- VOMS servers with version 2.0 onwards will be able (at the end of this year) to accept any kind of proxy, even an X509 certificate.

This is also a minor detail which will have no practical meaning very soon (even now it is hardly relevant)

- New GSI implementations of TLS (since version 4.0 approximately) accepts both RFC-3820-compliant X509 proxies and Globus proxies.

I would recommend to read this fine paper, dated July 2005: http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf Does anybody think that a technology of 2005 is "new"?.. And it is not "approximately", it is GT4. Even if some projects still use GT2, it is not a reason to call GT4 "new".

5.3) VOMS services, which deliver X509 proxies with VOMS extensions, MUST fully comply to RFC 3820 or GSI, and MAY accept both. Inside EGEE, all VO managers MUST verify the content of their 'vomses' file, and fix it if necessary.

No way we can require this, really. Besides, like I wrote before, vomses files are easily overwritten by users local vomses, so this recommendation is completely void. And knowing that the latest VOMS version is actually compliant with this requirement, it becomes redundant.

5.4) The authentication library used by grid Services MUST fully comply to RFC 3820 or GSI, and MAY accept both. Old versions of GSI, which do NOT accept RFC-3820-compliant X509 proxies, block interoperability, and are STRONGLY DEPRECATED. Therefore, we advise each provider of grid middleware using such an old version of GSI to : - establish and publish the list of the components which still uses it, - migrate to a new version of GSI which also accepts RFC-3820-compliant X509 proxies.

No need to advise this publishing and migration, we do not define policies and procedures here. If any Grid m/w provider does not accept both, it is simply not PGI-conforming, period. It may still serve users happily.

7.2) The Information Service of each grid Infrastructure MUST describe, for each grid Service, the security requirements for access to the grid Service, and which Authorization Tokens this Service expects (potentially several). Globus proxies are DEPRECATED in favor of RFC-3820-compliant X509 proxies. Each provider of grid middleware MUST establish and publish the list of the components which still require Globus proxies.

See above. We can not require m/w providers to report to PGI what they do and what they don't - we are not that kind of an authority. Unless we are going to issue "PGI certified" stickers, or give away "PGI product of the year" awards, of course ;-)

7.3) The Information Service of each grid Infrastructure MUST describe the transport method that the grid Service expects (potentially several). We repeat here what we have written in chapter 5.4 : Old versions of GSI, which do NOT accept RFC-3820-compliant X509 proxies, block interoperability, and are STRONGLY DEPRECATED. Therefore, we advise each provider of grid middleware using such an old version of GSI to : - establish and publish the list of the components which still uses it, - migrate to a new version of GSI which also accepts RFC-3820-compliant X509 proxies.

See above, we are not this kind of an authority. If a m/w provider chooses to produce a non-PGI-compliant software, it is their choice entirely. Cheers, Oxana

Hi Etienne, Etienne URBAH wrote:

Still to be verified is that VOMS servers only accept GSI-style X509 proxies http://forge.gridforum.org/sf/go/doc15591?nav=1 VOMS accepts and generates both type of proxies. However, there is a caveat, which explains the failures you get:

Pre VOMS 2.0: Server-side, VOMS uses GSI for validation. This means that if you run voms against gt2, contacting it with a gt4 proxy will fail. There is a final argument in the vomses file which specifies which version of GT the service uses, and adapts the proxies used to contact it accordingly. Many VOs distribute an incorrect vomses file. The final proxy obtained as output by voms-proxy-init will always be what you requested, in this case a rfc proxy. VOMS 2.0 onwards: Globus dependencies on the server will be dropped too (They are corrently removed from both the clients and the APIs). This will mean that any kind of proxy, or even a bare certificate, will become acceptable for contacting the service. The whole vomses config business above will no longer be relevant. VOMS 2.0 is due to be out during autumn this year. Ciao, Vincenzo

Having to build adapters to translate (if possible) credentials in different formats is a compromise which is more reasonable than having to wait for all the middlewares of the world to move towards a common security infrastructure.

In the short term... documenting and defining the 2 or 3 security models is real progress. If a service only supports one of these I do not see this as a problem - for all the reasons given. Providing credential translation services to provide 'shims' (or bridges between these islands) as an interim solution makes this work. Its a low risk to individual services - they maintain their current stability - and can migrate over time to support both or the most 'popular' one - let the market decide! Each service can then advertise the mechanisms it supports and clients can locate credential translation services as required.

On Thu, Mar 26, 2009 at 7:16 PM, Steven Newhouse <Steven.Newhouse@cern.ch>wrote:

...

Having to build adapters to translate (if possible) credentials in different formats is a compromise which is more reasonable than having to wait for all the middlewares of the world to move towards a common security infrastructure.

In the short term... documenting and defining the 2 or 3 security models is real progress. If a service only supports one of these I do not see this as a problem - for all the reasons given.

I do agree with this point here. But I would propose a question: What is the purposed of PGI? Does it only conclude all of the popular middlewares and propose a few conclusive profiles? Or does it give some proposal which is as general as possible, and needs those middlewares to change as minimal as possible? If the former one is the case, I agree with the "bridging" idea. And it is also what ARC has done and is doing: Trying to implementing some specific clients which can interoperate with those services hosted by different kinds of middlewares that require different security mechanisms. For instance, for interoperability with CREAM service, the client developed in ARC need firstly to contact the CREAM delegation service and delegate a proxy credential to that service, and secondly send real BES message to CREAM service together with the delegation ID which is got from the first step. The CREAM service itself will implicitly get the proxy credential by using the delegation ID, and then act on behalf of the client. Weizhong Qiang

Providing credential translation services to provide 'shims' (or bridges between these islands) as an interim solution makes this work. Its a low risk to individual services - they maintain their current stability - and can migrate over time to support both or the most 'popular' one - let the market decide!

Each service can then advertise the mechanisms it supports and clients can locate credential translation services as required. _______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg