Genesis II Security - Trust Anchor(s)
Duane and Andrew, I have carefully read the document 'Genesis-II Security Implementation' at http://forge.gridforum.org/sf/go/doc15435?nav=1 Basic interoperation between different grid infrastructures require to establish mutual trust and common processes. Currently, Security Policies for EGI are proposed by EGI SPG 'Security Policy Group' at https://wiki.egi.eu/wiki/SPG In particular, 'Approval of Certification Authorities' at https://documents.egi.eu/public/ShowDocument?docid=83 defines that the Trust Anchor is IGTF http://www.igtf.net/ In order to permit basic interoperation between EGI and infrastructures using Genesis II, members of EGI SPG need to have precise information on Trust Anchor and Security Process used by grid infrastructures using Genesis II. Referring to your above mentioned 'Genesis-II Security Implementation' document : 1.1.2 Resource Identity ------------------------ - The document states 'All Genesis II grid resources are given X.509 identities' and the 4th entry of a 'typical certificate chain of trust' is a 'global Certificate Authority (CA) "trusted" by all grid participants'. - Please explain precisely this "trust" process : If this process does not use IGTF as unique Trust Anchor, please indicate the mandatory (and perhaps optional) Trust Anchor(s) for grid infrastructures using Genesis II. 1.1.4 Existing Identities -------------------------- - The document states 'Alternatively, users may have identities that are managed by directory systems such as NIS/YP, LDAP, etc. Genesis II integrates with these systems to virtualize these identities into the grid' - Does Genesis II really create X509 certificates (like an SLCS CA) ? - If yes, which Root CA does Genesis II use ? - Are you sure that this Root CA will be accepted by the target resources inside the grid infrastructures using Genesis II ? - If yes, what is the trust mechanism ? 1.1.6 Identity Provider Resources (IDPs) ----------------------------------------- - The document states 'New grid identities can be created and managed using Genesis II Identity Provider (IDP) resources' implementing 'WS-Trust Security Token Service (STS)' - Same questions as for section 1.1.4 Precise answers to these questions, taking into account real operational constraints, would permit EGI SPG to understand the security process offered by Genesis II, and perhaps to define a more flexible policy about Trust Anchors, permitting real interoperation with grid infrastructures using Genesis II. Thank you in advance for taking the pain of understanding these questions and answering to them. Best regards. ----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
hi Etienne, PGI, is it an aim of PGI-WG to discuss operational policies such as which CAs are trusted by which infrastructure? The group's "focus and scope" at <http://forge.gridforum.org/sf/projects/pgi-wg> does not mention this. Up to now, I assumed PGI is about defining and/or profiling specifications for compute, data, etc, and *not* about operational issues in specific existing or future infrastructures? Is this no longer the case? Thanks for any clarification on this question, Bernd. On Di, 2010-09-21 at 21:07 +0200, Etienne URBAH wrote:
Duane and Andrew,
I have carefully read the document 'Genesis-II Security Implementation' at http://forge.gridforum.org/sf/go/doc15435?nav=1
Basic interoperation between different grid infrastructures require to establish mutual trust and common processes.
Currently, Security Policies for EGI are proposed by EGI SPG 'Security Policy Group' at https://wiki.egi.eu/wiki/SPG In particular, 'Approval of Certification Authorities' at https://documents.egi.eu/public/ShowDocument?docid=83 defines that the Trust Anchor is IGTF http://www.igtf.net/
In order to permit basic interoperation between EGI and infrastructures using Genesis II, members of EGI SPG need to have precise information on Trust Anchor and Security Process used by grid infrastructures using Genesis II. [...]
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
-- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
Bernd, Concerning the issue of which CAs are trusted by which infrastructure : I have carefully read again the "focus and scope" of OGF PGI. You are right, it does NOT mention operational policies such as the one above. So, members of OGF PGI are free to ignore this issue. But I feel that this issue is a potential blocking point for practical interoperation, so a more appropriate audience for this issue is perhaps OGF GIN-CG. Best regards. ----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr ----------------------------------------------------- On Tue, 21/09/2010 23:10, Bernd Schuller wrote:
hi Etienne, PGI,
is it an aim of PGI-WG to discuss operational policies such as which CAs are trusted by which infrastructure? The group's "focus and scope" at <http://forge.gridforum.org/sf/projects/pgi-wg> does not mention this.
Up to now, I assumed PGI is about defining and/or profiling specifications for compute, data, etc, and *not* about operational issues in specific existing or future infrastructures? Is this no longer the case?
Thanks for any clarification on this question, Bernd.
On Di, 2010-09-21 at 21:07 +0200, Etienne URBAH wrote:
Duane and Andrew,
I have carefully read the document 'Genesis-II Security Implementation' at http://forge.gridforum.org/sf/go/doc15435?nav=1
Basic interoperation between different grid infrastructures require to establish mutual trust and common processes.
Currently, Security Policies for EGI are proposed by EGI SPG 'Security Policy Group' at https://wiki.egi.eu/wiki/SPG In particular, 'Approval of Certification Authorities' at https://documents.egi.eu/public/ShowDocument?docid=83 defines that the Trust Anchor is IGTF http://www.igtf.net/
In order to permit basic interoperation between EGI and infrastructures using Genesis II, members of EGI SPG need to have precise information on Trust Anchor and Security Process used by grid infrastructures using Genesis II. [...]
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
-- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
Hello Etienne, I completely agree with the assessment that operational issues, such as IGTF trust anchor, are definitely out of scope for PGI, even though they might be in the GIN scope. I would also like to point out that SPG policies have their root in WLCG requirements, as WLCG was the infrastructure that originally mandated the group. These policies are neither mandatory (i.e., they can be superseded by local site policies), nor are they immutable (i.e., they can change following new requirements). In addition, SPG policies take great care of not requiring any specific technology. IGTF is the very rare exception, but even IGTF is not locked to a single technology per se, as nothing in the IGTF charter requires compliance to any specific implementation. All in all, I believe this is a non-issue for PGI, and probably even for GIN. Cheers, Oxana 22.09.2010 12:00, Etienne URBAH пишет:
Bernd,
Concerning the issue of which CAs are trusted by which infrastructure :
I have carefully read again the "focus and scope" of OGF PGI. You are right, it does NOT mention operational policies such as the one above.
So, members of OGF PGI are free to ignore this issue.
But I feel that this issue is a potential blocking point for practical interoperation, so a more appropriate audience for this issue is perhaps OGF GIN-CG.
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
On Tue, 21/09/2010 23:10, Bernd Schuller wrote:
hi Etienne, PGI,
is it an aim of PGI-WG to discuss operational policies such as which CAs are trusted by which infrastructure? The group's "focus and scope" at <http://forge.gridforum.org/sf/projects/pgi-wg> does not mention this.
Up to now, I assumed PGI is about defining and/or profiling specifications for compute, data, etc, and *not* about operational issues in specific existing or future infrastructures? Is this no longer the case?
Thanks for any clarification on this question, Bernd.
On Di, 2010-09-21 at 21:07 +0200, Etienne URBAH wrote:
Duane and Andrew,
I have carefully read the document 'Genesis-II Security Implementation' at http://forge.gridforum.org/sf/go/doc15435?nav=1
Basic interoperation between different grid infrastructures require to establish mutual trust and common processes.
Currently, Security Policies for EGI are proposed by EGI SPG 'Security Policy Group' at https://wiki.egi.eu/wiki/SPG In particular, 'Approval of Certification Authorities' at https://documents.egi.eu/public/ShowDocument?docid=83 defines that the Trust Anchor is IGTF http://www.igtf.net/
In order to permit basic interoperation between EGI and infrastructures using Genesis II, members of EGI SPG need to have precise information on Trust Anchor and Security Process used by grid infrastructures using Genesis II. [...]
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
-- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
-- gin mailing list gin@ogf.org http://www.ogf.org/mailman/listinfo/gin
participants (3)
-
Bernd Schuller -
Etienne URBAH -
Oxana Smirnova