AhmSecurityMay2007

From Globus

AHM-Security: Security Day on Thu May 24 after All Hands Meeting in Rm C101

We are organizing a "security day" on Thursday, May 24.

The duration of this meeting will be half a day, from 8:30am-1:30pm.

The idea is to leverage the fact that many of you will be at Argonne already for the All Hands Meeting, and we hope you will be able to stay another day.

The purpose of the meeting is to share more detailed information about the different security related (incubator-)projects, to see if we can align and streamline some of those efforts, to discuss potential technical implementation issues, and to identify any gaps that could be translated in new roadmap tasks and goals.

The following agenda items are suggestions - the final agenda depends on who will participate and on your feedback.

Agenda

GT 4.2 preparations
What needs to be done to prepare for the GT 4.2 release. When will the authorization interface be frozen?
Provisioning: MyProxy & GAARDS' GTS
What are the different provisioning facilities? What is missing? How can we leverage both efforts? What is planned?
Attributes, Roles and Group Membership Svcs & Management Tools: LDAP, GridGrouper, VOMS, PERMIS, GridShib/SAML
What are the differences? Do we need all? What integration pieces do we miss?
Policy Language Implementations: XACML, CACL, CAS, PERMIS, GUMS/SAZ
Is XACML too complicated without tools? Could we use something simpler? What improvement have been made to CAS? Is PERMIS all you need?
Delegation Service: GT4, EGEE, Univa's extensions, caGrid's improvements
Clearly a need for "delegation services". What are the differences? How do we find the common denominator and get on a single path?
Pluggable Authorization project (Tim): PDP/PIPs as possible incubator project
How can we benefit from pluggability and interoperability through standardization and reference implementation of PDP/PIP?
SAML utilities in GridShib project (Von, Tom, Tim)
Differences with existing GT infrastructure, merge with GT?
VO level security tools and models
Too complicated still to set-up and manage VOs. What are the available solutions? How can we improve?
C-security features lag behind: caGrid's JNI solution for GridFTP leverages the Java-WS-implementation
How do we get the C-code feature set on par with Java? Is the JNI solution a viable alternative, also for C-GRAM and C-WS?
Overlap between CAS and GridShib
Do we need a common interface for issuing, querying, binding, and consuming SAML assertions?
OpenSAML Versioning
CAS and GridShib are using different versions of OpenSAML 1.1. Is it feasible to consolidate OpenSAML versions? Is OpenSAML 2.0 in our future? What does the roadmap look like with respect to SAML implementations?
New Authz Framework
Is the implementation of Attribute in the new framework adequate? What is lacking?
  •  ??? your favorite security topic here ???

Let us know if you can join our little security love-fest, let us know your favorite topics, and how you may contribute.

Please RSVP to me (franks@mcs.anl.gov)

Hope to see you on May 24!

Securely yours, Frank.

---

Confirmed attendees:

  1. Frank Siebenlist (ANL/UC)
  2. Rachana Ananthakrishnan (ANL/UC)
  3. Jim Basney (NCSA)
  4. Joe Bester (ANL/UC) (call-in)
  5. Tim Freeman (UC/ANL)
  6. Amy Krause (EPCC, University of Edinburgh - OGSA-DAI)
  7. Laura Pearlman (ISI)
  8. Mike D'Arcy (ISI)
  9. Olle Mulmo (Univa) (call-in)
  10. Scott Oster (OSU)
  11. Tom Scavo (NCSA)
  12. Terry Fleury (NCSA)
  13.  ???

Notes

Agenda:

GT 4.2 Security Deliverables:

  • YES Authz Framework interfaces will be frozen for 4.1.2 release next week. Changes will be made only if absolutely required.
  • YES Signing policy file code for Java (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=3789). We don't have an implementation. Debate about changing the format. Handling of UTF-8 characters is problematic. Just implement now in Java what we have in C. Frank will ask David Groep for help on this. Patrick Doran will ask for help from Univa.
  • YES OpenSSL update to latest version. Update from Joe Bester. Done in a branch right now. Issues with autoconf/GPT that may not be easily resolvable. Charles Bacon is looking at it.
  • YES and CRITICAL: PC depth limit bug (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4994). Jim Basney and Joe Bester will work on this.
  • YES Default to RFC compliant proxy certificates. Issue: GT 3.2 won't accept them (OK w/ our support policy). This is a public interface change. Users could still do grid-proxy-init -old. Requires documentation and changes in multiple places (C and Java). Will continue to support all three versions (legacy, draft, and RFC). Von will check with GMC, gt-dev, and VOMS developers. Rachana and Joe will work on this.
  • PENDING default to 1024 bit key for PC to meet NIST and IGTF requirements. Action: Jim Basney will send proposal with performance numbers to security@globus.org. If we conclude that performance is acceptable, we will include it in GT 4.2.

SAML utilities in GridShib project (Von, Tom, Tim, Rachana) (http://dev.globus.org/wiki/Image:SecurityDay2007GridShib.ppt):

  • OpenSAML project has ended support for OpenSAML 1.1.
  • OpenSAML project requires us to use a different namespace for our modified OpenSAML version.
  • Shibboleth code uses the original OpenSAML namespace.
  • Action items in order of priority:
    1. Add GridShib-modified SAML to GT. Just put the jar in CVS.
    2. Move all OpenSAML code in Globus to use the GridShib modified SAML. GridShib project can submit a patch. Highly desirable for 4.2.
    3. Remove vanilla OpenSAML from GT distribution. This is a public interface change. Need to remove the vanilla OpenSAML in 4.2.0 or wait for 4.3. Can't remove the vanilla OpenSAML in a 4.2.x release. Desirable but not critical for 4.2.
    4. Consolidate code to embed/process assertions in certificate chains. Do it in the SAMLUtils project. Desirable but not critical for 4.2.

Provisioning: MyProxy & GAARDS' GTS:

  • Provisioning features of MyProxy:
    • myproxy-logon requires CA certificate of myproxy-server in ~/.globus/certificates. Can it be a self-signed server certificate? Future work: bootstrap CA certificate better. Frank will give input on use of secure remote password protocol for bootstrapping.
    • myproxy-logon -T will install user credentials, CA certificates, signing policy files, and CRLs into ~/.globus/certificates. This is a per-server configuration. Future work: handle expired CRLs better.
    • Could Globus provide a myproxy-server for the community? What type of authentication would be required? Can we eliminate the step of Simple CA install? Use PURSE?
    • MyProxy doesn't provision service certificates. Possible future work.
  • Provisioning features of GAARDS GTS
    • GTS is a service dedicated to provisioning CAs and CRLs.
    • Client-side API, command-line clients, embeddable application APIs.
    • Service to deploy in container to keep that container's trust fabric up-to-date.
    • Client software distribution includes CA certificate for GTS services.
    • Client describes trust information it wants in a query to GTS, which returns appropriate CAs and CRLs.
    • GTS has trust levels / trust groups. GTS administrators and CA administrators. GTS administrators can assign other people ability to become CA administrators. CA administrators can update CRLs, etc. CAs belong to trust groups, based on authentication profiles, levels of trust, etc.
    • Can federate GTS services. Example: training GTS is subordinate to production GTS.
    • Client can exclude local subjects from removal.
    • WSRF protocols.
    • GTS-side authentication only required for provisioning.
    • Admin GUIs.
    • Future work: provisioning customized signing policy files. Current policy files have default policy.
    • Future work: use notifications rather than polling? Support OCSP on GTS server? Modify Globus to use GTS validation call-out?
    • Doesn't use/provision gridmap files. Could it?
  • Other grid provisioning alternatives: gx-map (cron, perl), IGTF RPM distributions (cron), Terena CA repository (TACAR), VDT Fetch CRL (http://vdt.cs.wisc.edu/components/fetch-crl.html).
  • We need a simpler Simple CA. Doesn't work on Windows. Has too many steps. Generate certificates for users by default?
  • The Globus certificates directory is separate from standard Java or Windows trust root configurations.
  • Need to also include metadata, OCSP responders, attribute authorities, in addition to CA certificates and CRLs.
  • Provisioning grid-mapfiles: Dynamic Account Service, LCMAPS, gx-map, GTS?
  • Should we consolidate configuration information? Canonicalized format for trust root information. XML meta-data file.
  • Attribute servers could serve trust root information.

Delegation Service:

  • Univa's DDM effort had a requirement for recurring transfers. Credential renewal/refresh requirement. Implemented renewal service sitting next to GT Delegation Service.
    • There's no new web service interface, apart from a test service. Only a container-local interface.
    • Is there a plan to accept this patch? The code is being tested as part of Univa testing. Needs code reviews.
  • caBig wants to get delegated credentials out of the container. Specify authorization policy that says who can obtain your credentials. Motivation: integrate web applications in grid security domain.
    • The MyProxy credential repository can provide this capability, but not with a web services protocol.
    • Extending the Delegation Service could provide this capability via web services.

"We've learned a lot since GRIM." - Von Welch

Retrieved from "http://dev.globus.org/wiki/AhmSecurityMay2007"
Personal tools
Execution Projects
Information projects
Distribution Projects
Documentation Projects
Deprecated