the americas grid policy management authority (tagpma) derek simmel, tagpma chair june 23, 2015
TRANSCRIPT
The Americas Grid Policy Management Authority (TAGPMA)
Derek Simmel, TAGPMA Chair
June 23, 2015
2© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA Presentation Overview
• Background
• Community
• What is TAGPMA?
• IGTF Regional PMAs, Profiles and Processes
• TAGPMA Leadership, Members and CAs
• TAGPMA Meetings
3© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Background
• Public Key Infrastructure (PKI)– X.509 digital certificates
• data signed using a secure, cryptographic checksum• typically used for identity credentials
– hosts, services, people– Certificate Authorities (CAs)
• securely issue digital certificates– Registration Authorities (RAs)
• verify identity of end entities requesting certificates– Relying Parties (RPs)
• any person or organization that trusts a CA and depends (relies) upon the CA to issue certificates
– Internet Protocols, e.g., SSL, TLS
4© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Background
• Grid / Cloud computing & Web Services– Distributed computing with standards-based interfaces for secure
authentication and secure communications• Open Grid Forum (OGF) www.ogf.org• Organization for the Advancement of Structured Information Standards
(OASIS) www.oasis-open.org• World Wide Web Consortium www.w3.org• Certificate Authority/Browser Forum www.cabforum.org• Internet Engineering Task Force www.ietf.org
5© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community
• High Performance Computing (HPC)– primarily with the HPC computational science communities– National and international HPC cyberinfrastructures, e.g.,
• European Grid Infrastructure (EGI)• U.S. National Science Foundation (NSF) XSEDE• Partnership for Advanced Computing in Europe (PRACE)• U.S. NSF & DoE Open Science Grid• Worldwide Large Hadron Collider (LHC) Grid (WLCG)
• High Throughput Computing (HTC)– cloud computing and high-scaling computing on collections of distributed
nodes
• Grid/Cloud Distributed Computing & Storage
• National, Institutional and Commercial CAs
6© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community - EGI
7© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community - XSEDE
8© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community - PRACE
System Type Location Production
CURIE Bull x86 cluster CEA, France March 2012
FERMI IBM BG/Q CINECA, Italy April 2012
Hornet Cray XC40 HLRS, Germany November 2014
JUQUEEN IBM BG/Q Jülich, Germany January 2013
MareNostrum IBM iDataPlex BSC, Spain June 2013
SuperMUC IBM iDataPlex LRZ, Germany April 2012
PRACE Tier-0 Systems
9© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community – OSG
10© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Community - WLCG
Illustration courtesy [email protected]
Worldwide Large Hadron Collider Grid
Tier-0 (CERN):• Data recording• Initial data reconstruction
• Data distribution
Tier-1 (11 centres):• Permanent storage
• Re-processing• Analysis
Tier-2 (~130 centres):
• Simulation• End-user
analysis
11© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
What is TAGPMA?
• The Americas Grid Policy Management Authority (TAGPMA) is one of three regional PMAs that comprise the Interoperable Global Trust Federation (www.igtf.net)
• The purpose of IGTF is to establish and foster strong trust relationships among individuals and institutions worldwide so that trusted authentication and authorization of access by/to people, systems, and services can occur across the Internet
• Each regional PMA accredits authentication providers and registration authorities within its region
• IGTF maintains a distribution of trusted CA data that relying parties can download and use in their infrastructures to validate the credentials of users, systems and services that have credentials issued by one of the IGTF-accredited CAs (https://dist.igtf.net)
12© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
IGTF Regional PMAs
APGridPMA
TAGPMA
EUGridPMA
13© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
IGTF Accreditation Profiles
• Classic X.509 CA– Traditional CA operated with secured infrastructure– Classic CAs issue long-term certificates with lifetime up to 400 days– Subscriber identity vetting is face-to-face or equivalent– https://www.igtf.net/ap/classic/IGTF-AP-classic-4-4.pdf
• MICS: Member Integrated X.509 PKI Credential Services– Online CA that issues certificates based on pre-existing identity data
maintained by a federation or large organization– Classic CAs issue long-term certificates with lifetime up to 400 days– http://tagpma.es.net/wiki/pub/Main/TagMICS/IGTF-AP-MICS-1.3.pdf
14© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
IGTF Accreditation Profiles continued
• SLCS: Short-Lived X.509 PKI Credential Services– Online CA that issues short-lived certificates based on pre-existing
identity data maintained by a federation or large organization– SLCS CAs issue certificates with a lifetime of up to 1,000,000 seconds– Common example: MyProxy CAs– https://tagpma.es.net/wiki/pub/Main/SLCS2/SLCS-2.2.pdf
• IOTA: Identifier-Only Trust Assurance– Online CA that issues certificates based on successful authentication to
a federated identity management infrastructure– Traceability of issued certificates to subscribers may be limited– Common example: CILogon-Basic CA– http://www.gridpma.org/ap/iota/IOTA-Secured-Infra-AP-1.1.pdf
15© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
CA Accreditation Process
• Membership Application– Organization applies for membership as an AP– TAGPMA members vote to accept/decline membership
• Member requests accreditation of a CA– Member describes CA and desired CA Profile– A TAGPMA Mentor is assigned– Two TAGPMA member reviewers are assigned
• Reviewers examine CA Certificate Policy and Certification Practice Statement (CP/CPS)– Reviewers work with applicant to resolve issues– TAGPMA members vote to accept/decline CA
• Operational Review– Reviewers test operational aspects of CA– Upon successful completion of operational tests, CA is considered “TAGPMA accredited”
• CA operators prepare and submit CA certificate and data for IGTF distribution– A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the
CA certificate and data, and submits it to IGTF– IGTF adds the new CA certificate and data to a pre-release collection for testing, and upon successful testing adds it to
the next scheduled public IGTF distribution– (optional) The CA operator applies to the TERENA Academic Certification Authority Repository (TACAR) to have their
CA certificate added to the TACAR distribution. A designated TAGPMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to TACAR for inclusion in the TACAR distribution.
16© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA Leadership
• Chair: Derek Simmel (PSC)– [email protected]
• Chair for Latin America: Ale Stolk (ULAGrid)– [email protected]– Coordinates activities with Spanish-speaking partners and members
and leads TAGPMA Español meetings
• Vice Chair: Scott Rea (DigiCert + REBCA)– [email protected]
• Secretary: Ale Stolk
• Webmaster: Scott Rea
17© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
Current TAGPMA MembersOrganization Country Respresentative AP/RP
DigiCert USA Scott Rea APFNAL USA Irwin Gaines APGridCanada Canada Andre Charbonneau APIBDS ANSP Brazil Gabriel von Winckler APInCommon USA Jim Basney APNCSA USA Jim Basney APNERSC USA Jeff Porter APNICS USA Victor Hazlewood (Jason Charcalla) APPSC USA Derek Simmel APREUNA Chile Sandra Jaque APSDSC USA Scott Sakai APUFF Brazil Vinod Rebello APUNAM Mexico Manuel Quintero (Jhonatan López) APUNIANDES Colombia Andres Holguin APUNLP Argentina Paula Venosa (Alejandro Lara) APESNet USA Dhiva Muruganantham RPOGF USA Alan Sill RPOSG USA Jim Basney RPREBCA USA Scott Rea RPredCLARA Chile/LAC Luis A. Nuñez RPULAGrid Venezuela Alejandra Stolk RPWLCG Switzerland Dave Kelsey RPXSEDE USA Jim Marsteller RP
18© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA Classic CAs (14)
• Argentina (UNLP):– /C=AR/O=e-Ciencia/OU=UNLP/L=CeSPI/CN=PKIGrid
• Brasil (ANSP, UFF):– /C=BR/O=ANSP/OU=ANSPGrid CA/CN=ANSPGrid CA– /C=BR/O=ICPEDU/O=UFF BrGrid CA/CN=UFF Brazilian Grid Certification Authority
• Canada (GridCanada):– /C=CA/O=Grid/CN=Grid Canada Certificate Authority
• Chile (REUNA):– /C=CL/O=REUNACA/CN=REUNA Certification Authority
• Colombia (UNIANDES):– /C=CO/O=Uniandes CA/O=UNIANDES/OU=DTI/CN=Uniandes CA
• Mexico (UNAM):– /C=MX/O=UNAMgrid/OU=UNAM/CN=CA
19© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA Classic CAs (14) continued
• U.S.A. (DigiCert, InCommon):– /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid Root CA
• /DC=DigiCert-Grid/DC=com/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2– /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
• /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA• /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA G2
– [/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority]• /C=US/O=Internet2/OU=InCommon/CN=InCommon IGTF Server CA
• Venezuela (ULAGrid) – has suspended operations until further notice – removed from IGTF Distribution:– /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification
Authority
20© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA SLCS CAs (6)
(All current TAGPMA SLCS CAs are in the U.S.A)
• FNAL:– /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
• NCSA:– /C=US/O=National Center for Supercomputing Applications/OU=Certificate
Authorities/CN=MyProxy CA 2013– /C=US/O=National Center for Supercomputing Applications/OU=Certificate
Authorities/CN=Two Factor CA 2013
• NERSC:– /DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA
• NICS – has suspended operations until further notice – removed from IGTF Distribution:– /DC=EDU/DC=TENNESSEE/DC=NICS/O=National Institute for Computational
Sciences/CN=MyProxy
• PSC:– /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA
21© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA MICS (2) and IOTA (1) CAs
(All current TAGPMA MICS and IOTA CAs are in the U.S.A)
• MICS:– CILogon-Silver:
• /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1– NCSA:
• /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL
• IOTA:– CILogon-Basic:
• /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1
22© 2010 Pittsburgh Supercomputing Center
© 2015 Pittsburgh Supercomputing Center
TAGPMA Meetings
• TAGPMA members meet monthly via video CERN Vidyo teleconference– 2nd Monday of each month– 11:00am Eastern – Spanish language call– 11:30am Eastern – English language call
• TAGPMA Face-to-face meetings– twice per year (once in Latin America, once in North America)– most recent F2F meeting was here at PSC in May 2015– next F2F meeting is scheduled for Sept. 30 – Oct. 1, 2015 at UNAM, Mexico
• IGTF All-Hands meetings– once every 18 months – rotates among PMAs– most recent All-Hands meeting was hosted by APGridPMA at Academia Sinica
in Taipei, Taiwan during March 2015– next All-Hands meeting will be hosted by EUGridPMA in late 2016