Grids & PKI: TAGPMA & Bridges(Scott Rea – Dartmouth College)

Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL

2

International Grid Trust Federation

• IGTF Purpose:– Manage authentication services for global

computational grids via policy and procedures

• IGTF goal: – harmonize and synchronize member PMAs policies to establish

and maintain global trust relationships

• IGTF members:– 3 regional Policy Management Authorities

• EUgridPMA• APgridPMA• TAGPMA

3

IGTF

4

IGTF general Architecture

• The member PMAs are responsible for accrediting authorities that issue identity assertions.

• The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers.

• The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. – Proposed changes to an AP will be circulated by the chair of the PMA

managing the AP to all chairs of the IGTF member PMAs. • Each of the PMAs will accredit credential-issuing authorities and

document the accreditation policy and procedures. • Any changes to the policy and practices of a credential-issuing

authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

5

Green: EMEA countries with an Accredited Authority

23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RU, TR

Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all

EUGridPMA members and applicants

6

EUgridPMA Membership

• Under “Classic X.509 secured infrastructure” authorities– accredited: 38 (recent additions: CERN-IT/IS, SRCE)

– active applicants: 4 (Serbia, Bulgaria, Romania, Morocco)

• Under “SLCS”– accredited: 0

– active applicants: 1 (SWITCH-aai)

• Under MICS draft– none yet of course,

but actually CERN-IS would be a good match for MICS as well

• Major relying parties– EGEE, DEISA, SEE-GRID, LCG, TERENA

7

Ex-officio Membership• APAC (Australia)• CNIC/SDG, IHEP (China)• AIST, KEK, NAREGI (Japan)• KISTI (Korea)• NGO (Singapore)• ASGCC, NCHC (Taiwan)• NECTEC, ThaiGrid (Thailand)• PRAGMA/UCSD (USA)

General Membership• U. Hong Kong (China)• U. Hyderabad (India)• Osaka U. (Japan)• USM (Malaysia)

Map of the APGrid PMA

8

APgridPMA Membership

• 9 Accredited CAs– In operation

• AIST (Japan)• APAC (Australia)• ASGCC (Taiwan)• CNIC (China)• IHEP (China)• KEK (Japan)• NAREGI (Japan)

– Will be in operation• NCHC (Taiwan)• NECTEC (Thailand)

• 1 CA under review– NGO (Singapore)

• Will be re-accredited– KISTI (Korea)

• Planning– PRAGMA (USA)– ThaiGrid (Thailand)

• General membership– Osaka U. (Japan)– U. Hong Kong (China)– U. Hyderabad (India)– USM (Malaysia)

9

TAGPMA

10

TAGPMA Membership

• Accredited– Argentina UNLP– Brazilian Grid CA– CANARIE (Canada)* – DOEGrids*– EELA LA Catch all Grid CA– ESnet/DOE Office Science*– REUNA Chilean CA– TACC – Root

• In Review– FNAL– Mexico UNAM– NCSA – Classic/SLCS– Purdue University– TACC – Classic/SLCS– Venezuela– Virginia– USHER

• Relying Parties– Dartmouth/HEBCA– EELA– OSG– SDSC– SLAC– TeraGrid– TheGrid– LCG

*Accredited by EUgridPMA

11

Recent Mapping Exercises

• Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile

• Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile

• IGTF Classic Profile against C-4

12

Mapping Designations

• Seven (7) designations used to characterize the equivalency– Exceeds - The ENTITY CP policy provides a higher level of

assurance/security than the Federal CP requirement– Equivalent - The ENTITY CP policy provides exactly the same

assurance/security as the Federal CP requirement.– Comparable - The ENTITY CP contains dissimilar policy contents,

but provides a comparable level of assurance to meet the security to the Federal CP requirement.

– Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement.

– Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement.

– Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way.

– N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.

13

Mapping Results

• C-4 against IGTF Classic Profile– 30 policy points evaluated– 14 Comparable designations– 12 Partial designations– 3 Not Comparable designations– 1 Not Applicable designation

14

Mapping Results

• FBCA General against IGTF Classic Profile

• Basic LOA used for Comparisons– 136 policy points evaluated– 22 Comparable designations– 33 Partial designations– 12 Not Comparable designations– 65 Missing designations– 3 Not Applicable designations

15

Mapping Results

• IGTF Classic Profile against C-4– 30 policy points evaluated– 19 Comparable designations– 1 Partial designation– 10 Exceeds designations

16

ProposedInter-federations

FBCA

CA-1CA-2

CA-n

Cross-cert

HEBCADartmouth

Wisconsin

Texas

Univ-N

UVA

USHER

DSTACES

Cross-certs

SAFECertiPath

NIH

CA-1

CA-2 CA-3

CA-4

HE JP

AusCertCAUDIT PKI

CA-1

CA-2 CA-3HE BR

Cross-certs

OtherBridges

IGTF

C-4

17

High

Medium Hardware CBP

Medium Software CBP

Basic

Rudimentary

C-4

High

Medium

Basic

Rudimentary

Foundation

Classic Ca

SLCS

MICS

FPKI

IGTF

HEBCA/USHER

SAML

Username/Password Username/Password

18

For More Information

• IGTF Website: http://www.gridpma.org/

• TAGPMA Website:http://www.tagpma.org/

Scott Rea - Scott.Rea@dartmouth.edu