TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS

TAC - Poznan, 6 June 2005

Building trustwith a

European style

Diego R. LopezRedIRIS


The European way

• (Too) many states, languages, national priorities/laws/prides/…• Different systems and/or profiles of existing systems• In different degrees of maturity and deployment

• Look for agreements, even when not fully satisfactory• Several initiatives to fill the gaps

• eduroam: already and successfully running!• GN2-JRA5: defining the architecture of an iter-federation AAI• TF-EMC2: refining AA-RR and initiating its schema effort, SCHAC• TACAR and SCS: new ways of approaching PKIs• The Cotswolds Group

• Importing whatever is interesting from overseas• Basic standards as Shibboleth and eduPerson

• And always with a sense of style and history• Your humble speaker and many colleagues


eduroam

• The inter-national roaming network access service• Based on a hierarchy of RADIUS servers

• Institutional servers connect to root NREN servers• NREN servers are aggregated at the eduroam central server

RADIUS server

Institution B

RADIUS server

Institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

StudentVLAN

GuestVLAN

EmployeeVLAN


eduroam: Reaching further


GÉANT2 AAI

• It is intended to be one of the basic services of the coming pan-European academic network• Common to all services provided by and based on the network• From network access, bandwidth management, etc.• To application access (including Grids)

• Not a substitute of existing infrastructures• Nation- or community-based• A superstructure connecting them• Based on (con-)federating the federations

• But able to build new federations where they do not exist• And directly providing AuthN/AuthZ services access through

specific interfaces


GÉANT2 AAI components

• A local AAI Instance at each federation/domain/realm• Providing the interfaces to the federations or services in it

• Common Services• Home Location Service• Others possible: certificate verification, common diagnostics,…

• Connectors• Common for a federation (the Local Federation Connector)• Local Connectors for resources allowed to interact directly

• Service Access Points• In charge of adapt AAI interfaces to the (isolated) services AA

queries/responses• Interfaces and operations

• WS and SAML based


GEANT-2 AAI general diagram


TF-EMC2 and AA-RR

• Able to impersonate general AAI components• Attribute sources • Attribute requesters • Authorization engines

• Driven by profiles• Entity and protocol aspects• Attributes and values

• Protocol agnostic• A rule engine (defined in the profile) connect to protocol adaptors

• Applications• GÉANT2 AAI Connectors• Diagnostic tool• Interoperability assessment


TF-EMC2 and SCHAC

• An extension to the eduPerson schema• Taking into account European idiosyncrasy

• Based on a collection of national extensions so far• Croatia (hrEdu)• Finland (funetEdu)• France (supAnn)• Norway/Sweden (norEdu)• Poland (plEdu)• Spain (iris)• Switzerland (swissEdu)

• Common requirements have been quickly identified• Personal (unique) identifiers• Other personal attributes (citizenship, languages,…)• Privacy definition and entitlements


SCHAC current status

• Initial proposal being discussed• Release Candidate 1 for the individual attributes has been

presented at TF-EMC2 meeting on Sunday• Protocol neutral

• LDAP• XML

• One of its main drivers is ECTS• The European Credit Transfer (and Accumulation) System• Enable students to complete their curricula across Europe• It has made schema harmonization key to IT practitioners in the

European universities

• Close cooperation between TERENA/TF-EMC2 and EUNIS


TACAR

• The TERENA Academic CA Repository• A PKI-based web of trust among the European academic and

research community (and beyond!)• Built and maintained by out-of-band methods• Without the technical and administrative burdens of a common

root CA or a bridge• Adopted as trust repository by the EUGridPMA• Endorsed by the eIRG

• Based on two basic principles• Keep it simple• Let it happen

• 22 certificates from NRENs and Grid communities• Exploring further applications

• From on-line verification to simpler direct trust links among PKIs


TACAR: What does it offer

• A single authoritative source for certificates and policies• Able to simplify maintenance procedures

• Mechanisms to extend (and strengthen) trust links• The Grid communities• Other geographical areas

• A model to experiment with• Lighter than a common root, simpler than a bridge• Distribution of certificate packages• Peer-review based models (a-la-EUGridPMA)

• Qualified or not• PKI operation servers• Simplified trust exchange• The brand new 1SCP proposal


SCS: A novel certificate service

• Enable the use of server certificates• Allow the use of encrypted channels whenever necessary• Avoid the pop-up problem • And the cost associated with its avoidance

• The proposal• A service outsourced to a commercial provider that takes care of

the root installation procedures in major browsers• Provided in adequate technical conditions to NRENs• And in reasonable economic terms

• As flat as possible• Coordinated through TERENA

• Current status• Agreement signed by most participant NRENs• (Promising) conversations with several providers


The Cotswolds Group initiative

• Hosted by JISC (UK)

• Representatives invited from countries which have committed

funding to a comprehensive national programme

• Attended by representatives from Australia, Finland,

Netherlands, Spain, Switzerland, UK, US and CERN

• Aims:• to establish framework for further international collaboration of AA

systems, leading

• to interoperable user mechanisms, and

• to help other countries develop similar large-scale systems


The Cotswolds Group conclusions

• Global inter-working of local/national schemes is possible

• The network peering model is relevant to extending coverage

• Set of criteria needed to judge whether to accept a candidate federation

• Production of a cookbook to describe the criteria and the selection process

• A facilitator (Secretary) of the activities of the group

• Dissemination of the results on a broad front

Documents

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS