![Page 1: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/1.jpg)
Authorization WGUpdate
David KelseyEU Grid PMA, Copenhagen
27 May 2008
![Page 2: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/2.jpg)
27 May 08 EU Grid PMA, Kelsey 2
Mandate• EUGridPMA Working Group on Policy Management
for Grid Authorisation– Mandate and aims
• To prepare recommendations on policy and global trust issues related to Grid Authorisation (AuthZ)
• The initial list of issues will include: – Minimum requirements and best practice for the
operation of a Grid AuthZ attribute authority– Minimum requirements and best practice for Virtual
Organisation user and service membership management– Accreditation of Attribute Authorities (AA)– Accreditation of Virtual Organisations and their
membership management procedures
![Page 3: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/3.jpg)
Mandate (2)– Repositories and distribution of
accredited AA roots of trust– Technical details of attribute signing
and trust validation• To recommend how IGTF could handle the
definition of AuthZ policy and related accreditation during the next 3 to 5 years, taking into account the move towards a sustainable EU Grid Infrastructure and constituent national Grids
27 May 08 EU Grid PMA, Kelsey 3
![Page 4: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/4.jpg)
Mailing list members• M Altunay• J Basney• V Ciaschini• R Cowles• G Garzoglio• D Groep• M Helm• E Imamagic• J Jensen• C Kanellopoulos
• D Kelsey• O Koeroo• D Kouril• A McNab• D O’Callaghan• M Sova• Y Tanaka• C Triantafyllidis• W Weisz• J Wolfrat
27 May 08 EU Grid PMA, Kelsey 4
![Page 5: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/5.jpg)
Discussion on mandate• Several suggestions received• First mandate for this WG should be to set up a list of all
known AuthZ tools for the Grid environment available and in development– To determine actual and near future best practice
• Especially it should help to discern advantages and disadvantages of SAML assertions versus Attribute certificates versus attributes directly included in proxy certificates.
• This could guide us in the more theoretical aspects of the WG work.
27 May 08 EU Grid PMA, Kelsey 5
![Page 6: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/6.jpg)
Discussion (2)• Policy implications for VOs and VO
service providers are essentially the same whatever signing and attribute/assertion technology is used
• Perhaps there is scope for an AAOPS in OGF?– need for implementations that work, as
opposed to blue sky protocol design
27 May 08 EU Grid PMA, Kelsey 6
![Page 7: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/7.jpg)
Discussion (3)• I agree that we may start with working on
VOMS; however, staying implementation-independent, as much as possible, would help us in the long run
• How LoA of the underlying AuC assertions affect what AuZ can do– This leads to a sort of risk assessment framework– If I have a precious resource, I need high quality
AuC assertions underneath it.
27 May 08 EU Grid PMA, Kelsey 7
![Page 8: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/8.jpg)
Policy models• Attribute Authority Service Profile
– Based on VOMS• Can we make it technology independent?
– This should be written
• VO procedures– JSPG working on two documents
• VO Registration Policy• VO Membership Management Policy
– Probably don’t need another one!
27 May 08 EU Grid PMA, Kelsey 8
![Page 9: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/9.jpg)
Scaling issues• Today in EGEE
– ~200 VOs (mix of global, international, regional, national, local)
– # VOMS servers (how many?)• Need to quantify
• Future EGI/NGI world– ~35 to 40 Grids in Europe
• EU Grid PMA– Accredits ~2 per meeting and reviews ~4
27 May 08 EU Grid PMA, Kelsey 9
![Page 10: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/10.jpg)
Accreditation
• Options– Existing IGTF PMAs– Form new AuthZ PMAs– Large Grids (EGEE, OSG etc)– NGIs– Or mix of some/all of these
27 May 08 EU Grid PMA, Kelsey 10
![Page 11: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/11.jpg)
Accreditation (2)• My personal preferences (not discussed yet)• IGTF defines the standards• Others do accreditation
– With IGTF members– Important to have feedback into standards
• Large Grids or Coordination (call it EGI)– Accredit Global VOs– And run AA services for them
• Accredited by IGTF
27 May 08 EU Grid PMA, Kelsey 11
![Page 12: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/12.jpg)
Accreditation (3)• Every VO should have a home Grid
– Runs the AA services• NGI AA service is accredited by IGTF or EGI
– Accredits the VO procedures
• Bootstrap– Prepare draft profiles (AA and VO)– Accredit a small number of global VOs– Feedback and improve profiles
27 May 08 EU Grid PMA, Kelsey 12
![Page 13: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/13.jpg)
AC validation
• Document from OSG• Attribute Certificate Validation in
OSG– Mike H to say more?
27 May 08 EU Grid PMA, Kelsey 13
![Page 14: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/14.jpg)
Meetings and plans
• Work should start on the draft AA profile– Needs a small team– Then wider discussion
• I propose to hold a workshop– Early autumn– EGEE’08?– Joint with EU Grid PMA Lisbon meeting?
27 May 08 EU Grid PMA, Kelsey 14
![Page 15: Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008](https://reader035.vdocuments.us/reader035/viewer/2022072006/56649d0f5503460f949e4d86/html5/thumbnails/15.jpg)
Discussion
27 May 08 EU Grid PMA, Kelsey 15