OPEN ISSUES

Authentication Issues

Secure storage of private key (smartcards ? USB disks ? No filesystem storage)

Use private key to check-in proxy credentials to a secure proxy server (OCR: online certificate repository).

-Issues to resolve:

Who operates the proxy server ?

What are lifespan and renewal characteristics of proxy certs ?

User?s today control the lifespan of their created proxy credentials (up to the limit of the lifespan on their long-term certificate). While this could lead to abuse by users who create unduly long proxies, with even minimal user education this has not been a problem to date.

If this were to start emerging as a problem we would envision making changes to the GSI code to allow a site to enforce policy - for example no proxy with a lifetime greater than X days could be used for authentication.

What are appropriate restrictions on proxy credentials and who/how controlled ?

This is still very much a area of research. In our Proxy Certificate draft to IETF and GGF we are intentionally flexible in the area of policy language since we don?t know yet what policies folks will want and what the best languages will be to carry these policies.

Since all languages have to be enforced by the resource, it ultimately decided what languages and restrictions it will understand. Our view is that any proxy that contains policy not understood by a resource should be treated by that resource as invalid and unusable for authentication and authorization decisions.

The restrictions in a Proxy Certificate are controlled by the entity that issues the Proxy Certificate (it is limited to a subset of the rights in the certificate that it is using to issue the proxy). The entity must have some way of knowing, currently out of band, what policies are understood by the resource the rights will be enforced by.

[My original response before Dane?s clarification. - Von]

[Again, ignoring OCRs. - Von]

Proxy credentials today are stored very much like Kerberos tickets - on the local filesystem, owned by the creator and protected by the filesystem?s access control mechanisms. In unix this means read and writable only by the owner.

User has to remember passphrase as well as maintain a secure electronic copy of the longterm private key for use.

How is minimum ( strength of )passphrase imposed ?

Authorization Issues

How do Resource Providers apply consistent local authorization policy across a site ? Shouldn't there be something like a PAM callout in the gateway to allow for custom authorization policy decisions rather than force use of local file lookup (ie. gridmapfile)

It is common to have individuals belong to multiple authorization groups and need to try multiple permissions.

It is desirable for users to specify which authorizations they intend to invoke for a specific request.

How does site articulate local authorization requirements to service requestors ?

What requests/arbitration is permitted at local authorization step and how translated ?

How is communication from local resource to remote requester handled ?

Is the gateway involved in all communication ?

Is there direct communication with resource server and requestor ?

Use of existing site to local mappings.

Accounting Issues

Sites will have to provide auditing abilities for the following purposes at least (agreements with VO?s may modify this list, but past experience indicates the sites would want to keep this even if the VO deferred):

-Conflict resolution between resource providers and consumers.

Globus today doesn't provide any auditing services beyond those on the local system. It?s services (e.g. Gatekeeper, GridFTP server) do log their actions to aid in diagnosis and troubleshooting.

In terms of monitoring, Globus provides the MDS service which allows for monitoring of a resource. MDS is extensible in that custom providers can be plugged in to allow for the reporting of any information desired. The set of default information can be found in the MDS Schema:

http://www.globus.org/gt2/mds2.1/Schema.html

CAS keeps a log of all the credentials it issues along with the authentication information from the user it issued the credential to. It can then either put the user?s identity in the CAS credential or a unique identifier in the CAS credential that can mapped back to the user?s identity using the CAS logs. In either case the current CAS-enabled GridFTP server logs this information.

ISSUES IN RESOLUTION

Authentication Issues

Sites all currently have authentication systems for identifying users and verifying user identities

Moving from these methods is expensive and tedious.

Sites must be able to continue using these methods for local users.

Globus and GSI have no requirements that they replace existing authentication mechanisms. The goal of GSI is to authenticate a user using their Grid Credentials (i.e. X.509 certificate) and then converting this Grid identity, using local policy, to local credentials.

For standard Unix systems today this is implemented through simple mapping mechanism in GSI which uses a grid-mapfile. The grid-mapfile has locally-defined mappings from Grid identities to a local unix usernames. Application servers will then typically use setuid() to change to this local unix identity.

For credentials-based local security mechanisms, e.g. Kerberos and AFS, Globus supports credential conversion mechanisms, e.g. sslk5 and gsiklog,which allow conversion of X.509 credentials to local credentials.

Other mechanisms could be written to integrate Globus with other local security mechanisms. The idea being that GSI maps to local mechanisms, it does not replace them.

Dane Responds:

However, a requirement to propagate GRID credentials around internally within a site, is a defacto driver toward universal accomodation to the GRID mechanism. Site autonomy implies the need for a

Sites will require that they have a method to rapidly challenge an authentication

This is an issue to be taken up between sites and the CAs issuing certificates they choose to trust. If a site wants to have a guarantee of a ability to communicate quickly this should be negotiated with the CA and written into the CA?s Certificate Policy (CP).

Looking specifically at the DOE Science Grid CA CP, while it does state that CRL?s will be issued as soon as they are changed and it does express intent to set up an OCSP (online certificate status protocol) service, there is no guarantee of being able to quickly contact the CA to get a certificate put on the CRL.

[In my opinion I think it?s reasonable to expect that during normal business hours this would be pretty quick, but if you are concerned about off-hours we may want to clarify this in the CP. - Von]
 

The site must be able to rely on timely (with 24 hours) communication through the authenticator about problems with specific accounts.

As stated in the response to 1.6 above, this is an issue to be negotiated between the site and the CA issuing certificates.

In the case of the DOE Science Grid CA, the CP is fairly clear that once the CA revokes a certificate it will publish a new CRL fairly quickly and eventually offer OCSP to give real time information.

[My original response before Dane?s clarification above. - Von]

For many cases a site will still maintain a entry in their user database for the user that is independent from the mechanism the user uses to authenticate. This database typically has the needed contact information to ensure this.

When using CAS as the authentication mechanism a site negotiates directly with the VO running the CAS server, so sites should negotiate this level of service with the CAS administrators.
 

Authorization Issues

Local authorization decisions are expected to be based on any or all of:

-Clique within approved VOs

-VO membership

Individual identity has been handled by GSI for several years now using the GSI authentication mechanism and the grid-mapfile mapping and authorization mechanism.

CAS enables the ability authorize based on VO membership and roles. A user?s possession of a CAS proxy credential indicates VO membership and their rights as granted by their roles in the VO are embedded in the credential.

Sites must have knowledge of each authorized user of its resources.

At runtime Globus applications log the mapping of identity they make from the subject name in the GSI certificate to the local account. This allows a site to determine the the actual subject name if needed.

Gateway model issues:

*In this model, there is a gateway layer at each site above each GRID resource.

*This layer has the following functions:

-Receive the GRID request and verify validity (format, contents, etc.)

-Confirm authenticity of the request (check all certs and signatures)

-Authenticate gateway back to requester

-Translate GRID identity to local identity (checking for local authorization)

-Obtain local authentication token

-Pass local authentication token and request to local GRID resource

-(How does the rest of the process work ?) ?
 

Accounting Issues

---

RESOLVED ISSUES

Authentication Issues

Supplemental systems for inter-lab access will need to be equivalent or better in strength for equivalent accesses.

While it's really up to the reader, using the information in the rest of this document, to decide for themselves the relative security of the Globus Toolkit, we believe, that with proper deployment, it can meet a high standard, on the same level as Kerberos. Two fundament reasons we believe this are:

GSI is built on top of standard well-known and tested technology and software - X.509, SSL, the OpenSSL library. By using public and popular mechanisms and code we use public scrutiny to help assure security and help make the software more easy to understand.

Components of GSI that are extensions to existing standards are open source and many are well-documented in standards bodies like IETF and GGF allowing them to be subjected to public review.

Sites require an acceptable validation process for each individual to be authenticated

This must be traceable through a trusted chain to each site.

Validations must be periodically renewed.

For the case of DOE SG CA certificates this period is 24 months. [Still somewhat in flux, may end up just being 12 months. - Von]

Validations must be revocable by a site (at least within that site)

In the case of the DOE SG CA any RA or any official entity may request revocation, which is very flexible.

In any case sites can always control access within their own site through their local authorization mechanisms.

Secure signage of proxy requests (done on smartcard ? On host PC(s) ? )

What resources needed to generate and sign proxy certs ? (subordinate CA?s ? User browser ?)

Forward the proxy private key.

How are authenticity checks performed and which failures may be fatal ?

OpenSSL checks that the user (or server if running on the user side) has a valid certificate.

OpenSSL verifies that the user possesses the private key that accompanies the certificate.

OpenSSL and GSI verify the certificate chain from the certificate presented up to a CA certificate. Each certificate in the chain must be valid.

OpenSSL and GSI verify the CA issuing the long-term certificate is trusted by the local resource.

GSI then verifies the authorization of the user identified by the certificate by check for the identity in the grid-mapfile.

GSI then maps the user to a local account name and verifies the local account name exists.

Authorization Issues

Requirements for granting authorization vary in stringency from admin access, to login access, to R/W data access to RO data access.

When using CAS, you are granting the VO the right to grant authorization within certain constraints (the rights granted to the local account the VO?s CAS identity maps to). Any rights you are not comfortable allowing the VO to administer should not be granted to the CAS but instead handled through traditional user identity mapping.

Sites require the ability to revoke authorization for individuals and groups domain-wide (at least within their domain).

-Implies user identity be part of credentials presented with requests.

Individuals and groups using CAS credentials are all required to be in the grid-mapfile and their removal from the grid-mapfile effectively revokes their authorization.

Accounting Issues

VO Requirements

The site must be assured that all members of the VO are aware of all local site security and computer usage policies and will abide by them (presumably the process of obtaining an account in the VO will include signing appropriate forms for each site).

Individual user validations must time out and be periodically renewed, taking account of any changes in local site policies.

The site must be able to restrict access to only members of a specific VO and not automatically grant access to anyone who obtains authentication credentials from the "grid".

Use proxy private key to sign authentication packet (e.g.. Timestamp, proxy public key) and encrypt with remote server public key.

Is this an application level transaction or an SSL library call ? GSI library call ?

How is remote server public key obtained ? Verified ?

Who is responsible for selecting, obtaining, distributing and supporting the application suite ?

[5.6.2 refers to the globus-proxy-init, etal sorts of applications that a user is expected to have access to to "login" to the grid. Is the model that we install globus toolkit on all desktops of folks planning to participate in Grid computing ? Is it that VO applications and/or recipes include distribution/wrappers for these functions ? - Dane]

The Globus Project will continue to distribute and support the Globus Toolkit. Others projects (e.g. NMI, GriPhyN, NEES) are tailoring the toolkit to their particular needs (including configuration, bundling Globus with other software) and redistributing. Ideally projects should try to leverage off of one of these other distributions and make their own only if they need to.

It?s probably unreasonable to install and maintain any software on user?s systems outside those of the core sites. The model to follow, I suspect, would be the one that sites like FNAL have in place today for their Kerberos software.