using distributed responsibility
play

using distributed responsibility David Groep EGI IGTF Liaison - PowerPoint PPT Presentation

Mar 09, 2024 •530 likes •765 views

Evolving the EGI trust fabric using distributed responsibility David Groep EGI IGTF Liaison www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

  1. Evolving the EGI trust fabric using distributed responsibility David Groep EGI IGTF Liaison www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 orcid.org/0000-0003-1026-6606

  2. EGI trust policy space EGI Security Policy top-level framework Virtual Organisation Accepted Certification Authorities policy Membership Policy Registration Practices IGTF Classic IGTF MICS IGTF SLCS EGI (based on earlier joint JSPG work) puts user traceability on the IGTF providers • accepting a set of IGTF assurance profiles: MICS, SLCS, Classic • with peer-reviewed self-audits and transparency VO registration process is fairly light-weight: no audits, no documented procedures • but a few VOs are different and do have such processes (mainly wLCG) Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 2

  3. Federated Authentication Performing reasonable identity vetting of users and providing traceability is non-trivial Authorities set of a distributed Registration Authority network • Or leverage an existing one, based on ‘FedAuth’ with quality assurance • e.g. through services like DFN-AAI and Trusted Certificate Service TCS Graphic: IGTF 2015 Graphic from: Jan Meijer, UNINETT Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 3

  4. ‘Federated Authentication’ for a myriad of services But SSO single password & federation today also means: ‘free VMs 4 ALL’ instant abuse in case it gets compromised, (WebSSO, imap, smtp, ssh, eduroam, TCS, …) unknown qualities of identity in each federation and each IdP  and it works for Web only wLCG FIM4R pilot background: eduGAIN connected federations as of November 2014 – Brooke Schofield, TERENA Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 4

  5. Federated use of the eInfra WebFTS ‘FIM4R’ in wLCG Romain Wartel ELIXIR reference architecture Mikael Linden et al. Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 5

  6. Why the move to FedAuth Cross-national federated access progressed tremendously eduGAIN: more federations, with technical interop across countries • Increased awareness of research & scholarship use cases • ‘the will to make it happen’: demonstrated by SirTFi, AARC, VOPaaS , … • A great promise for easier collaboration Move to authenticators ‘closer’ to the user understanding – mainly home • organization credentials Ability to ‘hide’ end -user PKIX technology – and offer simpler authentication • for web- based services through ‘ OpenID Connect’ and ‘SAML’ And there are bridges – since for non-Web, command-line and brokerage ‘SAML2Int WebSSO ’ does not work STS, CILogon, TCS, SSH-to-MyProxy tokens, Moonshot, … • Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 6

  7. Issues hindering the adoption of FedAuth Although many production federations are pretty good, and quite a few IdPs have good processes … public documentation, self-assessment and peer-review are missing • it’s not consistent across IdPs • and processes are not designed for collaboration use cases re-use of identifiers occurs (also an issue for social IdPs) • the identity providers provide no identity … or it’s non -consistent • identifiers generated are specific to each SP (defeating brokering) • and may not provide traceability needed for valuable resources some allow users to change their own data (including e.g. their email • address and all contact data), or do not collaborate in case of issues Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 7

  8. Assurance profiles as charted by the IGTF So many production federations and IdPs are pretty good, but … they are all different , and the lowest common denominator is quite low • … so IGTF for ‘conventional’ assurances requires additional per-user controls … and the (‘ uniqueified ’) AP ‘DOGWOOD’ (IOTA) leaves an assurance gap …3,4 2 Kantara-like RP task Assurance Scale 1 * somewhat my personal view … LoA 0: ‘like conventional unsigned email’ sorry for bias Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 8

  9. Moving the bar towards differentiated assurance http://igtf.net/ap/iota (part of http://igtf.net/ap/loa) • IOTA AP assurance level ‘DOGWOOD’ is different, and remainder of the elements must be taken up by Identity elements somebody else – the VO or the sites • identifier management • re-binding and revocation • Only thing you get is an opaque ID • binding to entities • • traceability of entities Consider questions about • emergency communications – Real names and pseudonyms – Enrolling users in a community • regular communications – Keeping audit records • ‘rich’ attribute assertions – Auditability and tracing • correlating identifiers – Incident response • access control 11/10/2015 9 Evolving the EGI Trust Fabric - Bari 2015

  10. Redistributing responsibilities with IOTA Who can absorb the responsibilities, if not the identity providers? Requirements: End-to-end traceability must remain the same • Changing or documenting federation and IdP processes is a ‘lengthy’ • process – but adding some requirements does work (e.g. SiRTFi on incident response) … so who can absorb the responsibility? The resource centres – and go back to 1995 with per-site vetting  • The Infrastructure or funding agencies, through a rigorous registration • process – PRACE ‘home sites’, or XSEDE registration + NSF granting EGI UMP – that’s what’s happening partially in the LToS service • Or the communities? • Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 10

  11. Specific Delegated Responsibilities Need for proper traceability does not go away, so … who holds that information need not only be a traditional CA • but can be another entity with similarly rigorous processes • Some communities have an existing registration system that is very robust PRACE – in-person links • at the home sites XSEDE – NSF grant • approval process wLCG – CERN Users Office • and HR Database Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 11

  12. Distributed Responsibilities I: Trusted Third Party Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 12

  13. Distributed Responsibilities II: Collaborative Assurance & Traceability Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 13

  14. IOTA in the EGI context EGI – by design - supports loose and flexible user collaboration 300+ communities • Many established ‘bottom - up’ with fairly light -weight processes • Membership management policy* is deliberately light-weight • Most VO managers rely on naming in credentials to enroll colleagues • Only a few VOs are ‘special’ LHC VOs: enrolment is based on the users’ entry in a special (CERN - • managed) HR database, based on a separate face-to-face vetting process and eligibility checks, including government photo ID + institutional attestations Only properly registered and active people can be listed in VOMS • *) https://documents.egi.eu/document/79 Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 14

  15. Software support for DiffLoA What is needed it for the infrastructures (resource centres) to differentiate between ‘light - weight VOs’ and ‘heavily - managed VOs’ Preferably on a per-VO basis • Allowing IdPs with a lower assurance profile to be used for heavily- • managed VOs’ Whilst ensuring light-weight VOs can continue to enjoy airiness since • they’re combined with higher -assurance IdPs (CAs) Logic foreseen for such a decision ( VO:/pvier && CA:IGTF-Classic,IGTF-MICS ,”NL -eInfra-Zero- CA” ) || ( VO:/atlas && CA:IGTF-Classic,IGTF-MICS,IGTF-SLCS,IGTF-IOTA ) || ( VO:/* && CA:IGTF-Classic,IGTF-MICS,IGTF-SLCS ) Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 15

  16. Software capabilities today ‘For site -controlled redistribution to work, all software in the infrastructure faces with redistributed responsibility must support it’ Key components Argus Authorization System • Site access control suite for C ‘LCMAPS’ • … embedded ACL systems in (storage) software • For some it’s there (like LCMAPS on next slide), for others its ‘fairly trivial’ to implement (Argus), but all needs to be deployed and used as well way to feed CA policy information to Argus decision engine is needed • i.e., a “PIP” in AUthZ lingo speak, or it will not scale, but this is planned For service-specific authorization systems an inventory is needed • Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 16

  17. LCMAPS example implementation # Example VO-CA-AP-file, please adapt according to requirements # First the VOMS entries /pvier "/C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth",\ file:TERENAeSciencePersonalCA.info, \ file:TERENAeSciencePersonalCA-3.info /dteam file:policy-igtf-mics.info,file:policy-igtf-classic.info For each VO (FQAN), list the set of • acceptable CAs and (IGTF) Assurance Profiles Relying parties can easily add their own bundles (in info files) • Under control of the resource centres – who have to take the risks • For Argus Read “CA” and “Profile” information in a Policy Information Point • The decision in the Argus policy is then a simple “AND” of VO+CA/AP • Evolving the EGI Trust Fabric - Bari 2015 11/10/2015 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pathway of Responsibility What is responsibility? What is our responsibility personally

Pathway of Responsibility What is responsibility? What is our responsibility personally

Pathway of Responsibility What is responsibility? What is our responsibility personally and corporately? Definition - the state or job of being in charge of something and of making sure that what happens is right or satisfactory

1.08k views • 60 slides
ANNEXES Social Responsibility Comes First 1 SOCIAL RESPONSIBILITY SOCIAL RESPONSIBILITY IS ONE OF

ANNEXES Social Responsibility Comes First 1 SOCIAL RESPONSIBILITY SOCIAL RESPONSIBILITY IS ONE OF

GEOX GROUP - 1Q20 SALES - MAY 7, 2020 ANNEXES Social Responsibility Comes First 1 SOCIAL RESPONSIBILITY SOCIAL RESPONSIBILITY IS ONE OF GEOXS FUNDAMENTAL VALUES AND THE GROUP HAS IMPLEMENTED A NUMBER OF IMPORTANT MEASURES TO PROTECT ITS

513 views • 17 slides
Executive Responsibility Confidential 1 Executive Responsibility C-Suite Input,

Executive Responsibility Confidential 1 Executive Responsibility C-Suite Input,

Executive Responsibility Confidential 1 Executive Responsibility C-Suite Input, Responsibility and Policy Development Duty of Care Implementation of Policy Foreseeable and Reasonable Mitigation Cyber Threat + Its Impact

548 views • 19 slides
EPR the future of EPR the future of Producer Producer Responsibility Responsibility

EPR the future of EPR the future of Producer Producer Responsibility Responsibility

EPR the future of EPR the future of Producer Producer Responsibility Responsibility 15th November 2018 James Piper Managing Director Compliance Producers Recyclers schemes Infrastructure = Awareness & innovation

448 views • 13 slides
Pathway of Responsibility To engage the Pathway of Responsibility we need to learn how to

Pathway of Responsibility To engage the Pathway of Responsibility we need to learn how to

Pathway of Responsibility To engage the Pathway of Responsibility we need to learn how to access beyond the veil and take our positions as lords, kings and sons on our thrones in the heavenly realms When we are seated in the heavenly

763 views • 47 slides
Distributed Coordination What makes a system distributed? Time in a distributed system

Distributed Coordination What makes a system distributed? Time in a distributed system

CPSC-410/611: Operating Systems Distr Coord Distributed Coordination What makes a system distributed? Time in a distributed system How do we determine the global state of a distributed system? Event ordering Mutual exclusion

405 views • 12 slides
Chain of Responsibility Michael J Crellin Manager, Chain of Responsibility The contents of this

Chain of Responsibility Michael J Crellin Manager, Chain of Responsibility The contents of this

Chain of Responsibility Michael J Crellin Manager, Chain of Responsibility The contents of this presentation are intended to provide general guidance only, and should not be treated as legal advice. Specialist independent advice should be

358 views • 22 slides
Corporate Social Responsibility (CSR) Index What is Corporate Social Responsibility?

Corporate Social Responsibility (CSR) Index What is Corporate Social Responsibility?

Corporate Social Responsibility (CSR) Index What is Corporate Social Responsibility? Levels of CSR Different areas involved Different labour issues Arguments For CSR Arguments Against CSR CSR in Europe CSR in Spain

288 views • 27 slides
All Business - No Waste Extended Producer Responsibility Extended Producer Responsibility in

All Business - No Waste Extended Producer Responsibility Extended Producer Responsibility in

All Business - No Waste Extended Producer Responsibility Extended Producer Responsibility in British Columbia, Canada by David Lawes & Teresa Conner BC Ministry of Environment September 2011 1 British Columbia Facts Population: 4.5

453 views • 33 slides
Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access

Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access

Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access beyond the veil and take our positions on the mountains and thrones in the heavenly realms Seated in the heavenly realms we established kingdom

430 views • 30 slides
Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access

Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access

Pathway of Responsibility We engage the Pathway of Responsibility when we learn to access beyond the veil and take our positions on the mountains and thrones in the heavenly realms Seated in the heavenly realms we can established kingdom

573 views • 41 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Corporate Responsibility performance 2012 At Syngenta, Corporate Responsibility (CR) Contents

Corporate Responsibility performance 2012 At Syngenta, Corporate Responsibility (CR) Contents

CR performance Corporate Responsibility performance 2012 At Syngenta, Corporate Responsibility (CR) Contents is an integral part of everything we do. Syngenta is guided by the conviction that About our CR reporting 02 value creation depends

661 views • 36 slides
An Overview: Responsibility Center Management (RCM) Treasurers Town Hall Meeting Busch

An Overview: Responsibility Center Management (RCM) Treasurers Town Hall Meeting Busch

An Overview: Responsibility Center Management (RCM) Treasurers Town Hall Meeting Busch Campus 6/9/2014 Responsibility Center Management A budget model promoting financial responsibility at a unit level Works most effectively

511 views • 21 slides
Changes to HVNL chain of responsibility laws Safety duties The safety of transport activities

Changes to HVNL chain of responsibility laws Safety duties The safety of transport activities

Changes to HVNL chain of responsibility laws Safety duties The safety of transport activities relating to a heavy vehicle is the shared responsibility of each party in the Chain of Responsibility for the vehicle. The responsibility

753 views • 12 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton

From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton

From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton Review Entity Sets and Attributes Entity set: collection of things in the DB Attribute: property of an entity calories name Soda

395 views • 25 slides
Overview of NDN Pla/orm, Applica5on Libraries, and API

Overview of NDN Pla/orm, Applica5on Libraries, and API

Overview of NDN Pla/orm, Applica5on Libraries, and API NDNComm 2014 September 4, 2014 jburke@ucla.edu 1 Mo<va<on The NDN project's approach

654 views • 29 slides
INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden

INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden

INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden Code Jam V, Edinburgh, UK, March 16, 2012 Joint work with Sean Hill (INCF, Stockholm) Ruggero Cucchiani (INCF, Stockholm) Stephen Larson

719 views • 16 slides
XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard

XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard

XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard Context Dataflow and deployment model Database: storage & aggregation User interface & use cases Open issues & future

539 views • 37 slides
The Open Container Initiative Establishing standards for an open ecosystem Jonathan Boulle

The Open Container Initiative Establishing standards for an open ecosystem Jonathan Boulle

The Open Container Initiative Establishing standards for an open ecosystem Jonathan Boulle @baronboulle | jonathan.boulle@coreos.com A short agenda Why do we care about standards? Where have container standards come from? Where

1.46k views • 84 slides
A history of the CACG, EUGridPMA, and the IGTF (and some next steps) First APGridPMA

A history of the CACG, EUGridPMA, and the IGTF (and some next steps) First APGridPMA

A history of the CACG, EUGridPMA, and the IGTF (and some next steps) First APGridPMA Face-to-Face Meeting Beijing David Groep, 2005-11-29 A brief history From the CACG to EUGridPMA to IGTF The EU DataGrid CACG The EUGridPMA:

610 views • 34 slides
Advanced Publish/Subscribe Communication Services Antonio Carzaniga and Alexander L. Wolf

Advanced Publish/Subscribe Communication Services Antonio Carzaniga and Alexander L. Wolf

Advanced Publish/Subscribe Communication Services Antonio Carzaniga and Alexander L. Wolf University of Colorado at Boulder Boulder, Colorado USA {carzanig alw}@cs colorado edu {carzanig,alw}@cs.colorado.edu About the Tutors Antonio

1k views • 96 slides
Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix em cc.isel .ipl.pt) Azure

Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix em cc.isel .ipl.pt) Azure

An introduction to the Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix em cc.isel .ipl.pt) Azure AppFabric Set of services Service Bus (SB) Access Control Service (ACS) Running in the cloud Based on

620 views • 31 slides

More recommend