the americas grid policy management authority (tagpma) derek simmel, tagpma chair june 23, 2015

The Americas Grid Policy Management Authority (TAGPMA)

Derek Simmel, TAGPMA Chair

June 23, 2015

2© 2010 Pittsburgh Supercomputing Center

© 2015 Pittsburgh Supercomputing Center

TAGPMA Presentation Overview

• Background

• Community

• What is TAGPMA?

• IGTF Regional PMAs, Profiles and Processes

• TAGPMA Leadership, Members and CAs

• TAGPMA Meetings



Background

• Public Key Infrastructure (PKI)– X.509 digital certificates

• data signed using a secure, cryptographic checksum• typically used for identity credentials

– hosts, services, people– Certificate Authorities (CAs)

• securely issue digital certificates– Registration Authorities (RAs)

• verify identity of end entities requesting certificates– Relying Parties (RPs)

• any person or organization that trusts a CA and depends (relies) upon the CA to issue certificates

– Internet Protocols, e.g., SSL, TLS



Background

• Grid / Cloud computing & Web Services– Distributed computing with standards-based interfaces for secure

authentication and secure communications• Open Grid Forum (OGF) www.ogf.org• Organization for the Advancement of Structured Information Standards

(OASIS) www.oasis-open.org• World Wide Web Consortium www.w3.org• Certificate Authority/Browser Forum www.cabforum.org• Internet Engineering Task Force www.ietf.org

http://www.ogf.org/

http://www.oasis-open.org/

http://www.w3.org/

http://www.cabforum.org/

http://www.ietf.org/



Community

• High Performance Computing (HPC)– primarily with the HPC computational science communities– National and international HPC cyberinfrastructures, e.g.,

• European Grid Infrastructure (EGI)• U.S. National Science Foundation (NSF) XSEDE• Partnership for Advanced Computing in Europe (PRACE)• U.S. NSF & DoE Open Science Grid• Worldwide Large Hadron Collider (LHC) Grid (WLCG)

• High Throughput Computing (HTC)– cloud computing and high-scaling computing on collections of distributed

nodes

• Grid/Cloud Distributed Computing & Storage

• National, Institutional and Commercial CAs



Community - EGI



Community - XSEDE



Community - PRACE

System Type Location Production

CURIE Bull x86 cluster CEA, France March 2012

FERMI IBM BG/Q CINECA, Italy April 2012

Hornet Cray XC40 HLRS, Germany November 2014

JUQUEEN IBM BG/Q Jülich, Germany January 2013

MareNostrum IBM iDataPlex BSC, Spain June 2013

SuperMUC IBM iDataPlex LRZ, Germany April 2012

PRACE Tier-0 Systems



Community – OSG



Community - WLCG

Illustration courtesy [email protected]

Worldwide Large Hadron Collider Grid

Tier-0 (CERN):• Data recording• Initial data reconstruction

• Data distribution

Tier-1 (11 centres):• Permanent storage

• Re-processing• Analysis

Tier-2 (~130 centres):

• Simulation• End-user

analysis



What is TAGPMA?

• The Americas Grid Policy Management Authority (TAGPMA) is one of three regional PMAs that comprise the Interoperable Global Trust Federation (www.igtf.net)

• The purpose of IGTF is to establish and foster strong trust relationships among individuals and institutions worldwide so that trusted authentication and authorization of access by/to people, systems, and services can occur across the Internet

• Each regional PMA accredits authentication providers and registration authorities within its region

• IGTF maintains a distribution of trusted CA data that relying parties can download and use in their infrastructures to validate the credentials of users, systems and services that have credentials issued by one of the IGTF-accredited CAs (https://dist.igtf.net)

http://www.igtf.net/

https://dist.igtf.net/

https://dist.igtf.net/



IGTF Regional PMAs

APGridPMA

TAGPMA

EUGridPMA



IGTF Accreditation Profiles

• Classic X.509 CA– Traditional CA operated with secured infrastructure– Classic CAs issue long-term certificates with lifetime up to 400 days– Subscriber identity vetting is face-to-face or equivalent– https://www.igtf.net/ap/classic/IGTF-AP-classic-4-4.pdf

• MICS: Member Integrated X.509 PKI Credential Services– Online CA that issues certificates based on pre-existing identity data

maintained by a federation or large organization– Classic CAs issue long-term certificates with lifetime up to 400 days– http://tagpma.es.net/wiki/pub/Main/TagMICS/IGTF-AP-MICS-1.3.pdf



IGTF Accreditation Profiles continued

• SLCS: Short-Lived X.509 PKI Credential Services– Online CA that issues short-lived certificates based on pre-existing

identity data maintained by a federation or large organization– SLCS CAs issue certificates with a lifetime of up to 1,000,000 seconds– Common example: MyProxy CAs– https://tagpma.es.net/wiki/pub/Main/SLCS2/SLCS-2.2.pdf

• IOTA: Identifier-Only Trust Assurance– Online CA that issues certificates based on successful authentication to

a federated identity management infrastructure– Traceability of issued certificates to subscribers may be limited– Common example: CILogon-Basic CA– http://www.gridpma.org/ap/iota/IOTA-Secured-Infra-AP-1.1.pdf



CA Accreditation Process

• Membership Application– Organization applies for membership as an AP– TAGPMA members vote to accept/decline membership

• Member requests accreditation of a CA– Member describes CA and desired CA Profile– A TAGPMA Mentor is assigned– Two TAGPMA member reviewers are assigned

• Reviewers examine CA Certificate Policy and Certification Practice Statement (CP/CPS)– Reviewers work with applicant to resolve issues– TAGPMA members vote to accept/decline CA

• Operational Review– Reviewers test operational aspects of CA– Upon successful completion of operational tests, CA is considered “TAGPMA accredited”

• CA operators prepare and submit CA certificate and data for IGTF distribution– A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the

CA certificate and data, and submits it to IGTF– IGTF adds the new CA certificate and data to a pre-release collection for testing, and upon successful testing adds it to

the next scheduled public IGTF distribution– (optional) The CA operator applies to the TERENA Academic Certification Authority Repository (TACAR) to have their

CA certificate added to the TACAR distribution. A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to TACAR for inclusion in the TACAR distribution.



TAGPMA Leadership

• Chair: Derek Simmel (PSC)– [email protected]

• Chair for Latin America: Ale Stolk (ULAGrid)– [email protected]– Coordinates activities with Spanish-speaking partners and members

and leads TAGPMA Español meetings

• Vice Chair: Scott Rea (DigiCert + REBCA)– [email protected]

• Secretary: Ale Stolk

• Webmaster: Scott Rea



Current TAGPMA MembersOrganization Country Respresentative AP/RP

DigiCert USA Scott Rea APFNAL USA Irwin Gaines APGridCanada Canada Andre Charbonneau APIBDS ANSP Brazil Gabriel von Winckler APInCommon USA Jim Basney APNCSA USA Jim Basney APNERSC USA Jeff Porter APNICS USA Victor Hazlewood (Jason Charcalla) APPSC USA Derek Simmel APREUNA Chile Sandra Jaque APSDSC USA Scott Sakai APUFF Brazil Vinod Rebello APUNAM Mexico Manuel Quintero (Jhonatan López) APUNIANDES Colombia Andres Holguin APUNLP Argentina Paula Venosa (Alejandro Lara) APESNet USA Dhiva Muruganantham RPOGF USA Alan Sill RPOSG USA Jim Basney RPREBCA USA Scott Rea RPredCLARA Chile/LAC Luis A. Nuñez RPULAGrid Venezuela Alejandra Stolk RPWLCG Switzerland Dave Kelsey RPXSEDE USA Jim Marsteller RP



TAGPMA Classic CAs (14)

• Argentina (UNLP):– /C=AR/O=e-Ciencia/OU=UNLP/L=CeSPI/CN=PKIGrid

• Brasil (ANSP, UFF):– /C=BR/O=ANSP/OU=ANSPGrid CA/CN=ANSPGrid CA– /C=BR/O=ICPEDU/O=UFF BrGrid CA/CN=UFF Brazilian Grid Certification Authority

• Canada (GridCanada):– /C=CA/O=Grid/CN=Grid Canada Certificate Authority

• Chile (REUNA):– /C=CL/O=REUNACA/CN=REUNA Certification Authority

• Colombia (UNIANDES):– /C=CO/O=Uniandes CA/O=UNIANDES/OU=DTI/CN=Uniandes CA

• Mexico (UNAM):– /C=MX/O=UNAMgrid/OU=UNAM/CN=CA



TAGPMA Classic CAs (14) continued

• U.S.A. (DigiCert, InCommon):– /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid Root CA

• /DC=DigiCert-Grid/DC=com/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2– /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA

• /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA• /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA G2

– [/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority]• /C=US/O=Internet2/OU=InCommon/CN=InCommon IGTF Server CA

• Venezuela (ULAGrid) – has suspended operations until further notice – removed from IGTF Distribution:– /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification

Authority



TAGPMA SLCS CAs (6)

(All current TAGPMA SLCS CAs are in the U.S.A)

• FNAL:– /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM

• NCSA:– /C=US/O=National Center for Supercomputing Applications/OU=Certificate

Authorities/CN=MyProxy CA 2013– /C=US/O=National Center for Supercomputing Applications/OU=Certificate

Authorities/CN=Two Factor CA 2013

• NERSC:– /DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA

• NICS – has suspended operations until further notice – removed from IGTF Distribution:– /DC=EDU/DC=TENNESSEE/DC=NICS/O=National Institute for Computational

Sciences/CN=MyProxy

• PSC:– /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA



TAGPMA MICS (2) and IOTA (1) CAs

(All current TAGPMA MICS and IOTA CAs are in the U.S.A)

• MICS:– CILogon-Silver:

• /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1– NCSA:

• /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL

• IOTA:– CILogon-Basic:

• /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1



TAGPMA Meetings

• TAGPMA members meet monthly via video CERN Vidyo teleconference– 2nd Monday of each month– 11:00am Eastern – Spanish language call– 11:30am Eastern – English language call

• TAGPMA Face-to-face meetings– twice per year (once in Latin America, once in North America)– most recent F2F meeting was here at PSC in May 2015– next F2F meeting is scheduled for Sept. 30 – Oct. 1, 2015 at UNAM, Mexico

• IGTF All-Hands meetings– once every 18 months – rotates among PMAs– most recent All-Hands meeting was hosted by APGridPMA at Academia Sinica

in Taipei, Taiwan during March 2015– next All-Hands meeting will be hosted by EUGridPMA in late 2016

the americas grid policy management authority (tagpma) derek simmel, tagpma chair june 23, 2015

Documents

advanced computing

highscaling computing

prace tier

tagpma chairjune

secure authentication

igtf regional pmas

identity credentialshosts

authoritybrowser forum