Assessing Combined Assurance

Similar documents
Assessing Combined Assurance

Keeping EGI secure. EGI CSIRT: Prevention - Response - Training

Establishing the European Grid Initiative Organization (EGI.eu)

Tier-2. Joint Annual Meeting of ÖPG/SPS/ÖGAA - Innsbruck /48. Austrian Federated WLCG

LISP-DDT implementation status and deployment considerations

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Cisco SIP Proxy Server (CSPS) Compliance Information

THE WONDERLAND OF OPERATING THE ALICE EXPERIMENT. The Challenges of Operating a Large Physics Experiment

Opening remarks for the International Forum for Sports Integrity. 15 February Check against delivery-

Security & Stability Advisory Committee. Update of Activities

High usability and simple configuration or extensive additional functions the choice between Airlock Login or Airlock IAM is yours!

CRL Processing Rules. Santosh Chokhani March

Your Roadmap to Single IRB Review Getting Started with SMART IRB & the Online Reliance System

Osceola County Property Appraiser GIS Modernization: An Enterprise Implementation

A Guide to SMART IRB s Resources for IRB and HRPP Personnel

Dr. Ramakrishnan Nara V.P. Product Safety & Research Perry Johnson Registrar Food Safety Inc., (PJR, USA)

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

Submitted by the Coordinators of the Working group on the General Status and Operation of the Convention (Bosnia and Herzegovina and Switzerland)

Who takes the driver seat for ISO and DO 254 verification?

Advanced SOC. Key Technologies for Security Operations. RSA Security Summit 2014 Advanced SOC. RSA Security Summit, 24 april 2014 Marcel Knippen

PEDESTRIAN ACTION PLAN

TLN WRO Document. Back to Back CAS support

Organising the National Technology Needs Assessment (TNA) Process: An Explanatory Note

Your Roadmap to Single IRB Review Getting Started with SMART IRB & the Online Reliance System

Tel: October 2013

Crypto Sportz white paper

New Chapter Guide. Contents. 2 Organizing a Chapter. 3 General Guidelines. 4 ICF Chapter Requirements. 5 ICF Charter Chapter Requirements

DETAILED BUSINESS CASE

Smart Card based application for IITK Swimming Pool management

CLOSING LOCATION: Proposals must be submitted by to

Diver Training Options

Community Development and Recreation Committee. General Manager, Parks, Forestry and Recreation. P:\2015\Cluster A\PFR\CD AFS#22685

SOUTH AFRICAN QUALIFICATIONS AUTHORITY REGISTERED UNIT STANDARD:

Best practice with OJS a partial view

[XACT INTEGRATION] The Race Director. Xact Integration

Work Health and Safety Management Plan

Open Badge Network. O2A2 European Open Badge Infrastructure. Outcome O1A3 Associate Partners. Document information

SSAC Activities Update. Patrik Fältström, SSAC Chair ICANN-53 June 2015

BC Taekwondo Canadian Sport for Life Implementation Plan

SUBMITTED BY SIR CRAIG REEDIE, WADA PRESIDENT

Comparative Politics

RESEARCH PROTECTIONS OFFICE

St. Catharines Rowing Club Mother s Day High School Regatta Package. Sunday May 11, 2014

Planning for tennis in your Local Government Area. A resource from Tennis Australia

Operation and safety of tramways in interaction with public space. COST Action TU1103 «STATE OF THE ART» On behalf of the action: Matus Sucha

BYE-LAWS TO ARTICLE 56 DUTIES OF THE COMMISSIONS AND WORKING GROUPS

Foreword 3. Mission & Objectives 4. Financial Overview 8. Money In 10. Money Out 11. Delivering Services 12. Services Explained 13

Virtual Breadboarding. John Vangelov Ford Motor Company

NATIONAL COMPUTER SECURITY CENTER TRUSTED DATABASE MANAGEMENT SYSTEM INTERPRETATION

OLYMPIC AGENDA RECOMMENDATIONS

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

Digital empowerment for the Olympic Games

Following the Radio Sailing fleet

AFFILIATION & MEMBERSHIP PROCEDURES

Final Project Report (NHL Cumulative Game by Game Visualization) Patrick Wong April 24, Motivation & Audience for Visualization

Sustainable Fishery Certification: MAFAC Recommendations on a role for NOAA? Keith Rizzardi Marine Fisheries Advisory Committee

SOP 801: Investigator Qualifications and Responsibilities

Notes on Risk Analysis

Adaptability and Fault Tolerance

APP NOTES Onsight Connect Cisco Integration. July 2016

November 30, Efficient Startup of Multi-site Research Studies: Central IRBs and National IRB Reliance Platforms

Redesign of the International Timetabling Process (TTR) Ljubljana, 19 February 2019

INSTITUTIONAL REVIEW BOARD (IRB) PROCEDURES

What is Scrum? Scrum is a framework that allows you to create your own lightweight process for developing new products.

The Zero Poaching approach and it s applicability in Central Africa. Alain Bernard ONONINO WWF

RoboCup German Open D Simulation League Rules

CYCLING CHARTER ACTION PLAN EXECUTIVE SUMMARY

STATEMENT BY GRAND CHIEF DR. ABEL BOSUM TO THE STANDING SENATE COMMITTEE ON ABORIGINAL PEOPLES

5/25/2018 Clone of PCC ACSTH Application with Client Coaching Experience Attestation

University of Iowa External/Central IRB Reliance Process Standard Operating Procedure (SOP)

SoundCast Design Intro

in Hull Richard Green

Formula E Statistics Feeds

2015 YMCA Pennsylvania Central District Swimming Championship Hosted by the York YMCA Aquatic Club. General Information:

Southwest Power Pool REGIONAL STATE COMMITTEE BYLAWS

Board Approved First Revision, April 2006 MISSION STATEMENT

Commercial/ Central IRB An independent organization that provides IRB review services

Operations and Requirements A Practical Approach to Managing DP Operations

Eric Namesnik Memorial Swim Meet

Registration/Affiliation Information Package Year Round Clubs

Registering Your Team for the First Time In a Seasonal Year

Case Study. PayPal s Sparkline Case Study. About Sparkline

A General, Flexible Approach to Certificate Revocation Dr. Carlisle Adams & Dr. Robert Zuccherato Entrust, Inc.

OMS Alerts with Milsoft IVR Written by: Darcy O Neal Presented by: Clayton Tucker

This document is to serve as a tool for submitting the Classic Team Commitment Form.

Accelerate Your Riverbed SteelHead Deployment and Time to Value

OCTOBER 2018 EXECUTIVE SUMMARY

MotoTally. Enduro Event Management and Reporting Application

FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide. Version 2.0

Where and How Data is Stored

THE REEF-WORLD FOUNDATION. ICRI membership application GM30 Pattaya, Thailand 1 Dec 2015 Chloë Harvey

Exposure-adjusted fatality rates for cycling and walking in European countries

An IOOS Operational Wave Observation Plan Supported by NOAA IOOS Program & USACE

Company Surge TM for. Installation Guide v4.0 January

Free QA! David Golden

Wessex Bowls League Rules

Developing a Birmingham Transport Space Allocation policy. David Harris Transport Policy Manager Economy Directorate Birmingham City Council

ISLAND BAY UNITED TALENT DEVELOPMENT PROGRAMME

FDOT s Bicycle & Pedestrian Focused Initiative

Small Vessel Compliance Program for Fishing Vessels not more than 15 Gross Tonnage (SVCP-F)

Transcription:

Assessing Combined Assurance David Groep Nikhef Introducing composites of DOGWOOD and BIRCH/CEDAR in EGI and beyond co-supported by the Dutch National e-infrastructure coordinated by SURF, and by EGI Core Services

EGI Combined Assurance use case IOTA AP assurance level DOGWOOD is different, but remainder of the assurance can be taken up somebody else the user community or the registrar for the Access Platform Only thing you get is an opaque ID Stepping up to adequate assurance: Real names from pseudonyms Enrolling users in a community Keeping audit records Auditability and tracing Incident response Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications rich attribute assertions correlating identifiers access control Evolving the EGI Trust Fabric - Bari 2015

lcg-ca or explicit configuration The wlcg IOTA CA by-pass For EGI-only sites nothing changed For EGI sites also under wlcg policy and installed post-egee: just install both policy packages egi-core and lcg ca-policy-egi-core IGTF Classic IGTF MICS IGTF SLCS ca-aegis ca-tcs ca-dfn-aai ca-policy-lcg IGTF Classic IGTF MICS IGTF SLCS ca-aegis ca-tcs ca-dfn-aai ca-cern- LCG-IOTA Evolving the EGI Trust Fabric - Bari 2015

Project MinE (ALS) use case Access traditional global grid resources from the CLI By users that have no PKIX experience but are all properly vetted and registered (in the SURFsara CUA) Case comparable to LHC VOs (and to ELIXIR) Give access based on DOGWOOD CUA ID and prepopulate a VOMS server based on CUA details

Thanks to Mischa Sallé INTERLUDE 25 September 2017 Leveraging the IGTF registration network for research

additional info: Mischa Sallé, msalle@nikhef.nl A proxy from the TTS: the ad-hoc way

additional info: Mischa Sallé, msalle@nikhef.nl A one-time URL giving a shell script

additional info: Mischa Sallé, msalle@nikhef.nl Register your ssh public key like in gitlab, sourceforge, &c

additional info: Mischa Sallé, msalle@nikhef.nl Hiding PKIX just like KRB Implicit retrieval of proxies using ssh-agent Resulting proxies can decorated with VOMS without need for passphrases or other credentials Predictable RCauth subject naming (USR) allows pre-registering in VOMS, COmanage, &c

Beyond DOGWOOD (CERN IOTA, RCauth, CILogon Basic) Old model: CERN STS tight VO binding model With the EGI and WLCG specific exception EGI combined assurance model Make assurance combination part of service AuthZ Implemented by major AuthZ frameworks: Argus (1.7.1+), LCMAPS, dcache (3.1+) Configuration shipped via EGI and WLCG But: which other assurance providers qualify?

Specific Delegated Responsibilities Need for proper traceability does not go away, so who holds that information need not only be a traditional CA but can be another entity with similarly rigorous processes Some communities have an existing registration system that is very robust PRACE in-person links at the home sites XSEDE NSF grant approval process wlcg CERN Users Office and HR Database Evolving the EGI Trust Fabric - Bari 2015

Distributed Responsibilities I: Trusted Third Party Evolving the EGI Trust Fabric - Bari 2015

Distributed Responsibilities II: Collaborative Assurance & Traceability Evolving the EGI Trust Fabric - Bari 2015

IOTA in the EGI context EGI by design - supports loose and flexible user collaboration 300+ communities Many established bottom-up with fairly light-weight processes Membership management policy* is deliberately light-weight Most VO managers rely on naming in credentials to enroll colleagues Only a few VOs are special LHC VOs: enrolment is based on the users entry in a special (CERNmanaged) HR database, based on a separate face-to-face vetting process and eligibility checks, including government photo ID + institutional attestations Only properly registered and active people can be listed in VOMS

Developing an assessment framework

The need for guidance

Assessment Matrix Mapping for PKIX/RFC3647 is trivial How to apply out BIRCH/CEDAR guidance to community registries? https://wiki.eugridpma.org/main/assuranceassessment Relevant for COmanage & VOMS communities, but maybe wider?

Discussion! BUILDING A GLOBAL TRUST FABRIC Leveraging the IGTF registration network for research

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback