Middleware Security Group Meeting

12 Jun 2007, 09:00 → 13 Jun 2007, 16:15 Europe/Zurich

The Royal Institute of Technology (KTH), Stockholm

Bob Cowles, Ake Edlund

Goal with meeting: Update on current global security architecture work. Discuss future global security architecture work. Before starting, the people attending will decide which topic to start on, if some could be combined, or added, then we'll see where to it leads. There will be space for some topics on day two as well. Some topics will not be discussed at the meeting, but left for later. See attached MWSG12_List_of_Topics.txt Meeting room: Lindstedtsvagen 5, Ground floor, Room D34 Google map to meeting place and more(click here) Hotels close to KTH: http://zope.pdc.kth.se/pdc/about/hotels/view Dinner on the 12/6, at 19.00 at www.akkurat.se

Attendency list Attendency_list.txt

List of Topics MWSG12_List_of_Topics.txt

Tuesday, 12 June

09:00 → 10:00 Security Topic 1 - Make the grid more accessible without substantially increasing the risk (Bob Cowles)

"Owner": Bob Cowles
Minutes: Mike Helm

To discuss: The importance of Security and Policy on the one hand and
the mention that the average (potential) user of the grid find the
security model very difficult. Somehow we have to make use of the
grid more accessible without substantially increasing the risk - to
the user and to the resource providers.
Web SSO? Other?.

10:00 → 10:15 Coffee break

10:15 → 11:45 Security Topic 2 - TLS-AuthZ - description, status, legal (Simon Josefsson)

"Owner": Simon Josefsson
Minutes: Bob Cowles

Presentations:
"TLS-AUTHZ is a protocol to convey authorization information over TLS
channels. It supports both X.509 Attribute Certificates and SAML
Assertions for the authorization. I'll explain the protocol and what it
may be used for, and highlight a related patent that you should be aware
of if you consider to use this.
http://www.ietf.org/internet-drafts/draft-housley-tls-authz-extns-07.txt"

slides tls-authz.pdf

11:45 → 13:00 Lunch

13:00 → 13:15 Check point - how are we doing?

Short summary of progress. New topics decided during lunch.

Summary: The group decided to continue in this fashion.

13:15 → 14:20 Security Topic 3 - AuthZ interoperability (Gabriele Garzoglio)

"Owner": Gabriele Garzoglio
Minutes: Bob Cowles and Oscar Koeroo

Presentations: 20 min presentation, 1 hr discussion:
1) time constraints from EGEE and OSG for the release of an alpha/beta globus library. Two features are key in order to begin testing:
-- support for parsing/manipulating obligations
-- availability of a C library to write client software
2) what features of the C library are essential to write client software

slides MWSG_AuthZ_Interoperability_Jun_07.pdf MWSG_AuthZ_Interoperability_Jun_07.ppt

Minutes from Bob Cowles ------------------------------ Topic 6: AuthZ interoperability "Owner": Gabriele Garzoglio Presentations: 20 min presentation, 1 hr discussion: 1) time constraints from EGEE and OSG for the release of an alpha/beta globus library. Two features are key in order to begin testing: -- support for parsing/manipulating obligations -- availability of a C library to write client software 2) what features of the C library are essential to write client software See slides Oscar -- gLite 3.1 will have GT4 internally as the default. That's why 3.1 is taking so long. "Authorization tickets" is based on use case from UVA (Yuri). Use case is for things like advanced reservation services. Server side - Is Java enough?; Client side: must support C. - What are the EGEE time constraints? Need to be able to link against C and Java. What are the specific library calls that are needed (all or a subset)? -Vinc - have you tried linking with GPBox? It converts what you want into XACML. -Oscar - time constraint - we don't know - somewhere during summer period would be nice. - Gab - alpha version could be ready by the end of July. - Oscar - there are still discussions going on about where to place certain elements ... in the SAML part of the XACML part. Pros and cons for each alternative. - Oscar - would like to have the same name for the obligation identifier. - Gab - Client software is authorization callouts - Vinc - take a look at the GPBox libraries - they do all you have discussed. - Gab/V - Question about using suspension - not implemented anywhere - Andrew - propose limited proxies that can only be used at a particular site - the RB limits the site at which a delegated proxy can be use -- so if a gatekeeper, for instance, is compromised then the proxies can't be used at other sites. - Bob - CAs are a very slow way of cutting off someone's access. - Mike - OSG is very resistant to revoking certificates -- it is a very serious operation and creates a lot of work. - Gab - This means we do have a need for site-level white-list/black-list like SAZ. Summary -- - Time constraints are to have something by the end of the summer - For the C library, we want the ability to manipulate obligations - For C library - tie manipulations with handlers? The idea is having a framework that calls code handler for a given obligation name. After the discussion, it turns out that this is something important. - Ake - up to JohnW to put people's names on a timeline? - Oscar - yes ... once we know the schedule of the code from OSG. - Ake/Oscar - early July to formalize the working group (OSG, Globus, EGEE) and discuss the schedule for releasing things - Will discuss with JohnW next week The request to work on this was approved. Minutes from Oscar Koeroo -------------------------------- Initiative OSG, EGEE, Globus Plugin at authz layer (each have other solution now) is a problem (like dCache issue) Globus was looking for use cases for AuthZ call-out infrastructure for gt4 EGEE -> LCMAPS as network service Ian: what's the use of the user getting the VOMS proxy Ian: define {slide 8, arrow 3} the sync Answer (Gab/Oscar): The data in the line are the DNs and the VOMS database group/role as is in the VO's database ChrisW: GT == GT4? Glite 3.1 move to GT4 Library from Globus os requested to be seperate from the general Globus Toolkit (meaning not bound to GT4 specifically) Why use tickets? Use case? -> Advanced reservation server-side: is Java enough? -> (EGEE) No, need support for C somehow Vincenzo: Should not matter which language Vincenzo: GPbox might solve the XACML parsing. Engine is accessible from Java and C already. EGEE time constraint: (EGEE) summer period, august Standardization need to finish on multiple levels: - where to put information (like in the SAML or XACML environment description) - obligation name/id synchonization between OSG and EGEE -> Unix UID and GID use the same identifier What do we need to declare it Alfa version? -> handling/parsing of the information Which group is of Globus is involved: Globus security teammembers Side track idea: targeting a proxy to be only usable on one site, limiting damage EGEE work plan: somewhere in August we can pickup the alfa version and start implementing the code around the library Planning: - June: formalize the working group - July: Discuss and agree on the schedule - July/August: Evaluate alfa

14:20 → 14:45 Coffee break

14:45 → 15:30 Security Topic 4 - Shib in gLite, phase 3 (SAML) (Christoph Witzig)

"Owner": Christoph Witzig
Minutes:

Presentations:
- Shib in gLite, phase 3 (SAML) - Christoph Witzig

slides 070612_MWSG_Christoph_Witzig.ppt

15:30 → 16:00 Presentation - Grid access toolkit for MS Windows (Daniel Kouril)

We've putting together a "grid access toolkit for MS Windows" containing basic Windows tools that are necessary to access grid UI machines (i.e. management of proxy certificates and gsi-enabled ssh/scp clients).

slides mwsg12_kouril_gat.ppt

19:00 → 22:00 Dinner

www.akkurat.se (please contact Ake for a reservation)

Wednesday, 13 June

09:00 → 10:00 Presentation - VOMS Usage in various MW (Oscar Koeroo)

We've written a small doc that explains the problems around the interpretation of VOMS attributes in the production field.

slides VOMS_Usage_in_various_MW.pdf VOMS_Usage_in_various_MW.ppt

10:00 → 10:15 Coffee break

10:15 → 11:50 Presentation - Guidelines for VOMS Usage (Vincenzo Ciaschini)

Relations among FQANs and suggestions for expressing sets.
Given the recent confusions on what FQANs and attributes really mean, I intend to give a clarification and examples in this.

slides MWSGSlides.pdf MWSGSlides.ppt

slides Use_of_VOMS_Attributes.pdf Use_of_VOMS_Attributes.ppt

Minutes by Bob Cowles Use of VOMS attributes: semantics and suggestions GROUPS Group attributes represent organizational structure - hierarchical - subgroup membership implies group membership. Groups are not deniable - all group info is always returned. Returned in no particular order except, root group is returned first; user can specify order. ROLES Unstructured Granted in context of groups - no freestanding roles Must be explicitly requested FQAN Compact way of representing groups or roles Will drop Role=NULL ... wants confirmation that it's all OK Discussion of what happens when there are multiple ACs in a chain and when a single proxy has multiple ACs. Gab - OSG's Java implementation and C implementation return different ACs. Having multiple ACs on a single proxy in not supported. If you do voms-proxy-init multiple times, the newest AC gets stuck on the "top" of the previous one. [but in the data structure it might be at the end] Comment from Vincenzo: "this latest part is unclear as said. In the data structure returned by the APIs, only the AC in the latest proxies are returned. No way to access previous ones. In the certificate structure, in the order returned by OpenSSL the search must happen from the top of the stack." Doc is "VOMS Attribute Certificate Profile" in OGSA-AuthZ group of OGF. GENERAL ATTRIBUTES Associated to users; groups; groups and roles Comments by Vincenzo: "This should be: Associated only to users. However, as a shortcut, membership in group or ownership of roles may grant extra attributes to (directly) the users" Advantage is they are not hierarchical Shib will certainly use these attributes - they use the OID in the name to guarantee uniqueness Comments by Vincenzo: "Already implemented. (assertors and groups) See the OGSA-Authz doc for details." Need to have some registration or some way of preventing ambiguous meanings and for specifying who is asserting the attribute.

11:50 → 13:05 Lunch

13:05 → 13:55 Security Topic 5 - Interoperability in OMII (Morris Riedel, Vincenzo Ciaschini)

• Interoperability in OMII - Europe using the new standard compliant
  SAML-based VOMS server - Morris Riedel/Vincezo/Valerio [This talk
  will discuss how gLite and UNICORE use the SAML standard used by VOMS
  to handle attribute-based authz. ]

slides 2007-06-12_OMII_Interop_VOMSSAML.pdf 2007-06-12_OMII_Interop_VOMSSAML.ppt

Minutes by Gabriele Garzoglio * Vincenzo Ciaschini: SAML-based VOMS: Subject of AttributeQuery must match the issuer. This way one can only request his own credentials. We are currently discussing whether we should let users to get credentials for others users. The VOMS response is a SAML assertion. Condition element is used to specify duration Attribute element contains FQAN and GA The service runs as Tomcat 5.5. Today, to gain the info about a user, one must be able to authenticate as the user. However, we are integrating trustmanager to allow the interaction with services, if they have the user Proxies. Where are the SAML assertions put? AC are inserted into a user Proxy. We do the same with SAML assertions. Alternatives considered: adding the assertion to WS-Security via SOAP. Issue: Naming of the attributes. They are not finalized yet. Will write doc to explain the syntax and synchronize with other people's attributes (NAREGI, etc.). Problem with the protocol of attribute assignment: conflict between what SAML specifies and the requirement of making the content consistent with AC. Details: when writing an attribute query, one can ask single attributes. When this is done, the SAML protocol says that the assertion must contain only a subset of the attributes in the query, but NOT extra attributes. Membership in groups maybe denied if one requests only an attribute. Planning to solve this returning an empty assertion OR ... --- * Morris Riedel: Usage of VOMS SAML: OMII - Europe: working on interoperability via standards. Working in the context of JRA1 and 3. VOMS is one of the security profiles identified for interoperability. A drawback of VOMS was that it required the glite infrastructure for building and running. Also, VOMS didn't really work with UNICORE. Advantages now: WS-Clients can use SAML XSD schemas to access VOMS. Also, now working without gLite... Vincenzo: not completely true: still need admin interface to interact with the db. We could re-engineering VOMS admin. Oscar: are you sure you want to do it? Today it's easy to install, configure and use. Vincenzo: otherwise you can fill in the db schema by hand: it's easy enough. The only drawbacks are - voms-admin masks possible schema changes - voms-admin also check consistency of the db information. Vincenzo comment: "Apparently this did not come out correctly. The intent here was to express exactly the opposite. Working directly with the DB is not simple and it is unsupported. If you do it, you are on your own when something breaks. Also, there is no plan in the JRA1 VOM OMII activity to rewrite voms-admin." We use test infrastructures to try interoperability scenarios. SAML-based VOMS is not gLite-specific anymore. VOMS is self-contained... (except the voms-admin i.e. 1 rpm). Test scenario: UNICORE 6 supporting SAML-based voms. Demonstrated at OGF-20 in Manchester. CREAM also supports SAML assertions. PDP problem: VOMS is a PIP: now that we have the SAML assertion, how do we use it? Background: UNICORE 6 is based on XACML policies. We don't use the user proxies: using WS security extensions Solution: SAML assertions are used in conjunction with the XACML DB to provide fine-graned access to resources. Other approaches: GP-BOX. We still need to do this with CREAM, etc. It is a good base for interoperability and role-based access to resources. Christoph: assertion is signed by VOMS server, but is it encrypted ? Vincenzo: No. Example at the blackboard: <soapheader saml:...> </soapheader> <soapbody> OGSABES JSDL </soapbody> In the backend there must be policies for OGSABES, etc. This all mechanism is basically working. What are the benefits? Why do we do this? The WISDOM project is a use case of where this is useful. The output of the project is a list of chemical components, potential drugs. The output must be refined. The initial grid can be done on the grid, then the refining is done optimally on supercomputing. Having interoperability of the grid and supercomputers (DEISA) is key to enable this. Possible next steps: delegation mechanisms with SAML Contact Morris Riedel or Vincenzo for pointers to documentation. Call for papers: IGIIW @ e-Science 2007. Question: - Ian: when you define the encoding of group, roles etc., how do you define how these structures are interpreted at the resource? Vincenzo: the intended basic semantics is documented. We'll write new versions of documentation to clarify unclear points, using your input. Oscar: the doc does not explain how the attributes are used. Vincenzo: we'll write about this and send it around for comments.

13:55 → 14:35 Presentation - GridSite update (Andrew McNab)

Will cover some changes to the internal representation of credentials in GridSite. Related to Vincenzo's presentation (see above).

slides mcnab-gridsite-13jun07.pdf

Minutes by Gerben Venekamp ----- GridSite by Andrew McNab slide: Aribute URIs (Vincenzo) Are wildcards supported everywhere? (Andrew) No, only for dns: and ip: All others are opaque strings, matched exactly. slide: People think that gridmaps are there for legacy reason now that we have VOMS. However it is quite convenient to pull lists of DNs to define groups for people accessing web sites. slide: (Vincenzo) If you are down nine levels of delegations it results in an error. This is within openSSL and one needs to change one line of code to change this behaviour. slide: Level of Assurance (Mike Helm) Missed the meaning of LoA, it might be different from what you think. People attempt to map to other LoA and LoA rules are complex. NIST had different people in mind and therefor we would no quallify for any level other than level 1. US people do not like verification. The level of Assurence we provide is never going to match the LoF. We have defined our own LoA rules, hence we are stuck at level 1, perhaps level 2. Some of the rules of LoA are discussed/mentioned. Before being attitted to a level there a whole set of requirements to be met and lot of these requirement are not done. So, even though if you are using hardware tokens you do no quallify for level 4. (Mike Helm) Is LoA interesting to grids? It is for sysadmins. (Dave) I used to think it was interesting, now I'm not sure anymore. Aren't we introducing just more complexity? (Andrew) If you are level 2 it becomes tempting to become level 3. On the other hand a CA can also say this is a list of what we steps we take and let software/user pick what the want to use. slide: SlashGrid (Oscar) Can you optimize it by using GridFTP instead of HTTP(S)? (Andrew) It is about the same speed for large files. (See Andrew's EGEE User Forum talk for graphs) It is web dav like. You get an AFS-like file system, but without the complexity. You can do fopen(), mmap(), trunc() etc on it. Slide: Summary (Mike Helm) It is very interesting and useful to support OpenID GridSite gives you a one time cookie with a pass code. Can be used for OpenID or Shiboleth It is not clear whether or how to do this for web services. (Mike Helm) How much is available today from gridsite (Andrew) Everything is available in CVS as part of 1.5.x (development) Some parts were already in 1.4.x (stable). 1.6.0 (stable) is imminent - dependent on getting ETICS config sorted out now. (Joni) Are generic atributes supported? (Andrew) We should extend FQAN document to include generic attributes. ---- Appendix: Below was sent from Bob, wrt LoA definitions. http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm (full text) ELECTRONIC AUTHENTICATION: GUIDANCE FOR SELECTING SECURE TECHNIQUES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Our citizens and businesses benefit when they can easily access convenient electronic services provided by federal agencies via the Internet. To assure the security of these electronic services, agencies often need a process for verifying the identity of the remote users of their information systems. The process of electronic authentication (e-authentication) can be securely implemented using currently available techniques that give the information system provider a level of assurance about the user's identity. In December 2003, the Office of Management and Budget (OMB) issued Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, to help federal agencies provide secure electronic services that protect individual privacy. The memorandum advises agencies to review their electronic transactions, determine which transactions require e-authentication, and provide an appropriate level of assurance for those transactions that require authentication. M-04-04 describes four levels of identity assurance and calls on the National Institute of Standards and Technology (NIST) to develop technical guidance for agencies to use for identifying the appropriate authentication technologies that meet their requirements.

14:35 → 15:35 Presentation - glexec/lcas/lcmaps (Oscar Koeroo, Gerben Venekamp)

Topics on our list:
- GT4 interface;
- developments between OSG and Globus in relation to the central service;
- we have started to take a good look at out own code to harden it;
- end of support for EDG-LCAS and EDG-LCMAPS;
- current status.
- If anyone has a good suggestion or wants to know something about
glexec/lcas/lcmaps, please let it be known and we'll whip up something
delicious for you :-;

slides glexec-stockholm-2007.pdf glexec-stockholm-2007.ppt

Minutes by Gerben Venekamp slide 9: JIT update We want to be indepentent of GT4 in order to prevent vendor lock-in. Code hardning: (Dave) concern: is independant code reviewing thought of? The idea is well received.

15:35 → 15:40 Coffee break

15:40 → 16:15 Presentation - CRL distribution using L&B (Daniel Kouril)

slides mwsg12_kouril_lb-crl.pdf mwsg12_kouril_lb-crl.ppt

Minutes by Joni Hahkala ----------------------------- Daniel Kouril L&B CRL: - Bob: were different parts of the state diagram happen? - submitted, waiting, ready on WMS broker - running on WN - scheduled on CE - Mike: I'm confused... - registered? - clients subscribe to notifications of CA or crl updates - client can subscribe and they can query updates - Mike: we could also push crls from CA side to the service to avoid yet another poller. - Bob: how many LB services - one per VO - the LB service is in the job id, job id is an URL, contains LB server address - is this a new way of using LB or was the LB modified for this? - current ones can be used for this - you're doing per vo, it can increase load on the CA - you can use one central dedicated for this for all VOs - how does this differ from local webcache? - webcaches fail all the time