Summary from CA coordination and Security working group meeting

Transcription

1 Summary from CA coordination and Security working group meeting WP4 workshop

2 Security related meetings summary Certification Authorities coordination Organizationally a working group of WP6 Coordinates efforts for certification in various counties Gives guidance to new CA s now setting up Sets minimum standards for trustworthy CA s DataGrid Security coordination meeting Interested individuals concerned with security in the DataGrid at large Forum for security architecture discussions Coordination of security efforts within the WP s David Groep CA and DG security wg

3 Certification Authorities Currently 8 Certification Authorities: CERN (Pietro Martucci) INFN (Roberto Cecchini) DutchGrid/NIKHEF (David Groep) UKHEP (Andrew Sansum) CNRS datagrid-fr (Jean-Luc Archimbaud) LIP (Jorge Gomes) CESnet (Milan Sova and Daniel Kouril) Spain is preparing, Russia will start preparing David Groep CA and DG security wg

4 Certification minimal requirements Minimal requirements for certification authorities defined Non-networked machine Documented Certification Policy and Practice Statement (CP/CPS) Traceability of CPS in effect at time of signing (using OID s) CRL issuing required, lifetime between 7 and 30 days Relying parties should retrieve CRL preferably every day There will be no on-site auditing, we will crosscheck each others CP/CPS Entities should generate own key pairs (CA must not know!) Activity on recommending best-practice Grid CP/CPS in GGF (DataGrid has no manpower to get heavily involved) Drafted a list of recommended cert extensions David Groep CA and DG security wg

5 Certification Authorities in a Fabric None of the national CAs is prepared to issue host certificates to all hosts in a farm OK to apply for gatekeeper certs for LSF masters and such OK also for test bed 1 hosts with fork job manager WP4 has already a possible solution: FLIDS Automatic CRL retrieval, use the GetCerts package from cron soon to be included in WP6 distribution, now from DutchGrid CA site David Groep CA and DG security wg

6 Certification Authorities, Administrative A ca-coordination mailing is being set up by Dave Kelsey List can be used for incident reporting See also Detailed notes to be found from David Groep CA and DG security wg

7 DataGrid Security working group

8 DG Security-wg aims Identify security requirements and deliverables witin the WPs Implications of security on the DataGrid architecture (urgent) Identify lacking resources Self-organisation Extensive discussions planned for Lecce with Steve Tuecke David Groep CA and DG security wg

9 Security per Work Package (1) WP1 Will be managing the user s identities Jobs will probably run with the identity of the original user The applications don t care, as long as: Roles can be assigned to users and Quota can be associated with roles A user can have multiple roles (in different sessions), but only one cert WP2 Same issue with ownership of replicated files. Not resolved yet. David Groep CA and DG security wg

10 Security per Work Package (2) WP3 Will start using MDS-2 in PM9 Will have added GSI security, but does not use LDAP access rights No sub tree or element access control, just grid mapfile Only just started thinking about security issues for >PM9 WP4 Presented use case of job submission, GjMS, LCAS, LCMAPS & FLIDS For grid info services use WP3 framework GridGate should be relabelled NAT box No security comments on install-a-fresh-box use case David Groep CA and DG security wg

11 WP5 WP7 Security per Work Package (3) Will store files by uid/gid Will need a grid mapfile May be different form the one used by ComputeElement YAGM: Yet Another Grid Mapfile Interesting: they have three security deliverables and some committed manpower (PPARC 18 pm/3y, CERN 12 pm/3y, INFN & CNRS also) No-one in WP7 cares about security at large Only competent in network-layer security, so work might be done under ATF umbrella, formally staying in WP7 Once and for all: VPNs are a bad thing. The effort for the VPN test bed is going into a document to prove VPNs are useless DoS attacks will be the real issue in network security David Groep CA and DG security wg

12 Security per Work Package (4) WP8,10 (applications) Want less fuss with national CA s (150 counties in LHC!) sorry! Want single signon: one identity and multiple roles (1 role per session) Autorization by VO, VO decides on quota and groups Requirement common to all applications justify a common solution (CAS) Applications want to keep local site in control, but Local sites should publish their policies (abstracted) to show they are complying with the agreed MoUs Want a good USERS GUIDE WP10 has a lot of sensitive data, encryption preferred on application level anonymous ftp like areas, but restricted to any biologist David Groep CA and DG security wg

13 Policy language Obvious candidate is the work of the IRTF AAAARCH group Generic policy language currently an IRTF draft Or David Groep CA and DG security wg

14 Interaction between CE and SE Details: ATF (Germán) Some consensus seems to be Use GridFTP for for remote and local access to a SE Applications are prepared to refrain from local file system access (not use open(2)) Except for some scratch storage like /tmp Legacy applications should pre-declare their files To prevent rouge applications, the binaries may be signed The receiving end should verify the signature Users can make no assumptions about a local identity anywhere (gsi-ssh) David Groep CA and DG security wg

15 Firewall issues Current state on port numbers used is unclear Especially for return ports and user dynamic ports Nice to have all future access use predefined static ports, Providing secure gateways into the local fabric Like the WP4 proposal To be able to selective block malicious access David Groep CA and DG security wg

16 User mapping management for PM9 INFN: LDAP directory of users and groups generates a gridmapfile URL not yet defined Manchester: gridmapdir patch Possibly included in new Globus release by default Uid issues: most systems do 4 billion uids, but Linux = 2.2.x only 64K? David Groep CA and DG security wg

17 Future of the security working group Dave Kelsey will propose a somewhat more formal body to the PTB Should be driven by 3 named persons, to come from the three sites with committed effort (PPARC, INFN, CNRS) Lot of others should review documents and/or write a few pages for the architecture Framework for architecture given by DaveK Requirements by September/October Final Security architecture deliverable is in PM12 Detailed notes at David Groep CA and DG security wg