Upload
agatha-neal
View
214
Download
2
Embed Size (px)
Citation preview
TAGPMA & the Bridge WG(Scott Rea – Dartmouth College)
Internet2 Member Meeting, Dec 2006 PKI Activities and Applications Update - Chicago, IL
2
International Grid Trust Federation
• IGTF founded in Oct, 2005 at GGF 15• IGTF Purpose:
– Manage authentication services for global computational grids via policy and procedures
• IGTF goal: – harmonize and synchronize member PMAs policies to establish and
maintain global trust relationships • IGTF members:
– 3 regional Policy Management Authorities• EUgridPMA• APgridPMA• TAGPMA
• 50+ CAs, 50,000+ credentials
3
IGTF
4
IGTF general Architecture
• The member PMAs are responsible for accrediting authorities that issue identity assertions.
• The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers.
• The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. – Proposed changes to an AP will be circulated by the chair of the PMA
managing the AP to all chairs of the IGTF member PMAs. • Each of the PMAs will accredit credential-issuing authorities and
document the accreditation policy and procedures. • Any changes to the policy and practices of a credential-issuing
authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
5
Green: EMEA countries with an Accredited Authority
23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RU, TR
Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all
EUGridPMA members and applicants
6
EUgridPMA Membership
• Under “Classic X.509 secured infrastructure” authorities– accredited: 38 (recent additions: CERN-IT/IS, SRCE)
– active applicants: 4 (Serbia, Bulgaria, Romania, Morocco)
• Under “SLCS”– accredited: 0
– active applicants: 1 (SWITCH-aai)
• Under MICS draft– none yet of course,
but actually CERN-IS would be a good match for MICS as well
• Major relying parties– EGEE, DEISA, SEE-GRID, LCG, TERENA
7
Ex-officio Membership• APAC (Australia)• CNIC/SDG, IHEP (China)• AIST, KEK, NAREGI (Japan)• KISTI (Korea)• NGO (Singapore)• ASGCC, NCHC (Taiwan)• NECTEC, ThaiGrid (Thailand)• PRAGMA/UCSD (USA)
General Membership• U. Hong Kong (China)• U. Hyderabad (India)• Osaka U. (Japan)• USM (Malaysia)
Map of the APGrid PMA
8
APgridPMA Membership
• 9 Accredited CAs– In operation
• AIST (Japan)• APAC (Australia)• ASGCC (Taiwan)• CNIC (China)• IHEP (China)• KEK (Japan)• NAREGI (Japan)
– Will be in operation• NCHC (Taiwan)• NECTEC (Thailand)
• 1 CA under review– NGO (Singapore)
• Will be re-accredited– KISTI (Korea)
• Planning– PRAGMA (USA)– ThaiGrid (Thailand)
• General membership– Osaka U. (Japan)– U. Hong Kong (China)– U. Hyderabad (India)– USM (Malaysia)
9
TAGPMA
10
TAGPMA Membership
• Accredited– Argentina UNLP– Brazilian Grid CA– CANARIE (Canada)* – DOEGrids*– EELA LA Catch all Grid CA– ESnet/DOE Office Science*– REUNA Chilean CA– TACC – Root
• In Review– FNAL– Mexico UNAM– NCSA – Classic/SLCS– Purdue University– TACC – Classic/SLCS– Venezuela– Virginia– USHER
• Relying Parties– Dartmouth/HEBCA– EELA– OSG– SDSC– SLAC– TeraGrid– TheGrid– LCG
*Accredited by EUgridPMA
11
TAGPMA Bridge Working Group
• Recognition that there are different LOAs – in the way some credential service providers
operate– Required by different applications
• More efficient ways of distributing Trust Anchors
• Interoperation with other trust federations• Scott Rea is Chair, representatives from
each regional PMA included
12
Recent Mapping Exercises
• Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile
• Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile
• IGTF Classic Profile against C-4
13
Mapping Designations
• Seven (7) designations used to characterize the equivalency– Exceeds - The ENTITY CP policy provides a higher level of
assurance/security than the Federal CP requirement– Equivalent - The ENTITY CP policy provides exactly the same
assurance/security as the Federal CP requirement.– Comparable - The ENTITY CP contains dissimilar policy contents,
but provides a comparable level of assurance to meet the security to the Federal CP requirement.
– Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement.
– Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement.
– Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way.
– N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.
14
Mapping Results
• C-4 against IGTF Classic Profile– 30 policy points evaluated– 14 Comparable designations– 12 Partial designations– 3 Not Comparable designations– 1 Not Applicable designation
15
Mapping Results
• FBCA General against IGTF Classic Profile
• Basic LOA used for Comparisons– 136 policy points evaluated– 22 Comparable designations– 33 Partial designations– 12 Not Comparable designations– 65 Missing designations– 3 Not Applicable designations
16
Mapping Results
• IGTF Classic Profile against C-4– 30 policy points evaluated– 19 Comparable designations– 1 Partial designation– 10 Exceeds designations
17
ProposedInter-federations
FBCA
CA-1CA-2
CA-n
Cross-cert
HEBCADartmouth
Wisconsin
Texas
Univ-N
UVA
USHER
DSTACES
Cross-certs
SAFECertiPath
NIH
CA-1
CA-2 CA-3
CA-4
HE JP
AusCertCAUDIT PKI
CA-1
CA-2 CA-3HE BR
Cross-certs
OtherBridges
IGTF
C-4
18
High
Medium Hardware CBP
Medium Software CBP
Basic
Rudimentary
C-4
High
Medium
Basic
Rudimentary
Foundation
Classic Ca
SLCS
MICS
FPKI
IGTF
HEBCA/USHER
SAML
Username/Password Username/Password
19
For More Information
• IGTF Website: http://www.gridpma.org/
• TAGPMA Website:http://www.tagpma.org/
Scott Rea - [email protected]