1 / 10

Authentication Framework Discussion and Developments - December 2001

This document outlines the discussions from the Authentication Meetings held in December 2001 at CERN, focusing on the progress and challenges faced by various Certificate Authorities (CAs) within the European Data Grid (EDG) project. Key topics include defining procedures for trust, establishing an acceptance matrix for certification, addressing scaling issues, and ensuring the privacy of private keys. The next steps and future meetings, including an upcoming conference in Paris, are also highlighted.

warren-wilder
Télécharger la présentation

Authentication Framework Discussion and Developments - December 2001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication11 Dec 2001 David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Authentication

  2. Meetings • WP6 Certificate Authorities Group • Defining procedures for Authentication/Trust • Dec 2000, March, June, August and Dec 2001 • Agenda 6/7 Dec 2001 – CERN • New CA’s (USA and Germany) • Acceptance Matrix • GGF CP/CPS • Naming issues • Scaling problems • Next meeting Paris EDG Conference – March 2002 D.P.Kelsey, Authentication

  3. EDG CA’s • Already in TB1 • CERN, Czech Rep, France, Ireland, Italy, Netherlands, Nordic, Portugal, Russia, Spain, UK • In process of joining • USA (LBL/ESnet DOE Science Grid) • Karlsruhe (Germany, CrossGrid) D.P.Kelsey, Authentication

  4. Acceptance Matrix • Defined Minimum requirements for EDG CA • Don’t accept Globus certs • N * N matrix to show status of “acceptance” • Matrix rather sparse right now! • Every CA checks that it is “happy” with all others • Aim to complete this by 15 Feb 2002 D.P.Kelsey, Authentication

  5. Some issues • Host certificates • Need to find a CA prepared to issue them • Privacy of Private key • Scaling • Resources • Global trust • GGF CP • Authorisation vs Authentication • Naming D.P.Kelsey, Authentication

  6. Privacy of private key • Private key must be secret or else … • CP violation • Violation of Use Guidelines • Compromised keys should be revoked by CA • Service/Host certificates must relate to a single network entity • This will be enforced D.P.Kelsey, Authentication

  7. Scaling issues • Number of CA’s growing quickly • Number of certs per CA growing too fast • CERN users should apply to their national CA • Didn’t discuss the problem much • Resources required are large • To run a CA • To check trust with all others • Possible solutions • GGF CP work • Make Authentication lightweight • Bind name string to public key, but no meaning of name D.P.Kelsey, Authentication

  8. GGF CP/CPS • Discussed draft CP document • GGF hopes to agree this in Toronto (Feb 02) • 4 levels of assurance or just 2 levels? • Do we need proof of possession of private key? • Need to remove references to US Federal agencies • Central GGF repository • Plus audit • More scaling problems! D.P.Kelsey, Authentication

  9. Authentication vs Authorisation • Where do we put most effort checking identity? • Answer • As close to the resources as possible • Authorisation scheme will need to do most checking • Don’t duplicate the effort! • Authentication cert could bind random string to public key D.P.Kelsey, Authentication

  10. Naming • Flat namespace vs hierarchy? • What does the name mean anyway? • examples • /dc=doesciencegrid /dc=org /cn=John Smith 2654 • /c=uk /o=ESgrid /ou= GridPP/L=Manchester/ cn= John Smith • Main reason to keep flat • Remove all Authorisation information • Decided not to standardise • CA can do what they like D.P.Kelsey, Authentication

More Related