UK contributions to EDG Security

1. UK contributions to EDG Security Linda Cornwall, GridPP Middleware Meeting 24th February 2003

2. Introduction • Security is important – without security the grid will fail. • Yet Security is not a separate WP in EDG • Security is not entirely about middleware – but is closely tied to middleware and middleware deployment. • Security is about policy, deployment, operations. • As well as depending on the middleware tools to carry these out.

3. UK’s main Contributions • DataGrid Security Co-ordination Group – Lead by David Kelsey (RAL) • Certificate Authorities Working Group – Lead by David Kelsey (RAL) • UK CA at the CLRC e-science centre. • BaBar VO (Virtual Organization) • Security Middleware development by Andrew McNab (Manchester) • Security Analysis by Gavin Lowe and Philippa Broadfoot (Oxford)

4. EDG Security Coordination Group (SCG) • Started in January 2002 (1 year into the DataGrid project) • Mandate:- • To Produce the EU deliverables of WP7 on Security. • To help co-ordinate, where necessary, the various Security activities taking place in WP’s 1 to 5 and WP7. • To liase with WP6 CA and Authorization groups, national Grid Projects and Globus • To contribute to the various versions of the Architecture of the EU DataGrid via input to ATF.

5. SCG Deliverable Documents • D7.5 (EDG Security Requirements and Testbed 1 Security Implementation) edited and largely written by RAL (Linda Cornwall) Contributions from various WP’s, major contributions from the Oxford team. • D7.6 (EDG Security Design) – currently in preparation, major contributions from UK people (Manchester, RAL, Oxford.) • D7.7 (Security Report on the final project release) (due end of 2003).

6. Certificate Authorities (CA’s) • The CA WG has defined the minimum requirements and best practise for CA’s • Approx 20 edg CA’s • (Easy downloading of CA rpm’s to set up acceptance of various CA’s certificates, tools for keeping CRL’s up to date.) • Building intercontinental and inter-project trust – e.g. Crossgrid • Interoperability with Kerberos CA’s. In particular Fermilab

7. Security Deployment • VOMS (Virtual Organization Management Service) will not be deployed until April • (VOMS signs a user’s proxy to confirm membership and roles within a Virtual Organisation.) • Many of the WP’s are only now integrating Security into their middleware • Difficult to feed into GridPP due to deployment being close to the end of GridPP.

8. Security and GridPP2 Middleware • Re-Engineering Middleware to move towards Service/Industrial quality. (FP6) • Re-engineering security middleware for interoperability between different systems. • Improving Security integration with GridPP developed middleware. • Integrating security that is being developed • Integrating Security that has been re-engineered. • Possibly Making Security OGSA compliant. • E.g. R-GMA at RAL.

9. Security Middleware Analysis • 2 aspects • Is the design secure? • Is the implementation secure? • It is possible to carry out a formal analysis of Security Design, there are experts in this at Oxford. • So far, have not been able to complete this – as the design has not been defined precisely enough to fully carry out this analysis.

10. Future Security Involvement • GridPP2 needs to be involved in Security to ensure • Middleware is secure • Middleware is adequate to satisfy requirements • Our policies are defined correctly • Sites have confidence in our Security • We feed into other major projects - EGEE, LCG • We contribute at an international/intercontinental level to the definition of standards. E.g. GGF. • Focus will move towards Procedures and Deployment • David Kelsey has been asked to lead the Security Group for LCG grid deployment policy.