Middleware Security Group Meeting

6 Dec 2007, 09:00 → 7 Dec 2007, 16:00 Europe/Zurich

Berkeley

Logistics http://www.es.net/hypertext/MWSG/logistics.html Registration http://www.es.net/hypertext/MWSG/registration.html Agenda (Soon)

Thursday 6 December

Session 1: General security topics

1 Welcome, discussion of Agenda

Speaker: Chairs (Bob C., C.Witzig)

2 Security Incidents and Countermeasures (was LCAS/LCMAPS concern)

Speaker: Oscar Koeroo

Slides MWSG_Berkeley_2007_-_Security_Incidents_and_Countermeasures.pdf MWSG_Berkeley_2007_-_Security_Incidents_and_Countermeasures.ppt

3 How to leverage an existing SSH-PKI for our ssl-based grid security middleware

Speaker: Frank Siebenlist

Slides SSH&GSI&X509.pdf SSH&GSI&X509.ppt

4 Proxy restriction

Speaker: Joni Hahkala

Slides MWSG-2007-12-06-Proxy-Restrictions.odp MWSG-2007-12-06-Proxy-Restrictions.pdf

10:15 break

5 Pseudonymity Service - First Prototype Implementation

Speaker: Henri Mikkonen

Slides 071206-Pseudoproto.pdf

6 End-to-end security

Goal of the presentation: We want to draw attention to the problems the current trust model poses; i.e. the fact that all the middleware needs to be trusted. We will present our current view on how this could be changed, so that only the end points, i.e. the user and the execution machine, need to be trusted. We will have a proposal for a prototype implementation, and we would like to have a discussion with the other middleware developers.

Speakers: Ian Aldermann, Igor Sfilioi

Slides end-to-end-how-Berkeley.pdf

7 Email break

lunch break

Session 2: Authorization

Goals of the Authorization sessions:

1. For end-to-end study:
   a) Presentation of ideas based on end-to-end authorization study for EGEE-III
   b) Input of OSG to these ideas
   c) Identification of possible problems

2. For authZ interoperability:
   a) reviewing all fundamental areas of the work (even the ones settled and not discussed in several months) and reassuring ourselves that we are still on the same page everywhere
   b) discuss the scope and release schedule for the development work in OpenSAML 2. The goal is gathering enough information to update our plans. After the MWSG, we will need to carefully evaluate if these changes of scope and schedule make the joint project still cost effective.
   c) discuss communication channels w/ new development team and its management; discuss expectations for participation, response time, quality, etc.
   d) agree on the draft profile to be distributed by Chad on Nov 30 (note: this will be done in a smaller group in a parallel session on Thu morning and Fri afternoon)

8 Authorization end-to-end study

Speaker: Christoph Witzig

Slides 071206_mwsg_sf.pdf 071206_mwsg_sf.ppt

15:00 break

9 AuthZ Interop: Requirements, Plans and Milestones

Speaker: Gabriele Garzogolio

Slides MWSG_AuthZ_Interoperability_Dec_07.pdf MWSG_AuthZ_Interoperability_Dec_07.ppt

10 AuthZ Interop: A common XACML Profile and its current implementation

Speaker: Oscar Koeroo

Slides MWSG_Berkeley_2007_-_Common_XACML_Profile_&_Implementation.pdf MWSG_Berkeley_2007_-_Common_XACML_Profile_&_Implementation.ppt

11 AuthZ Interop: G-PBox and gJAF experience with the GT XACML library(Java version)

Speaker: Hakon Sagehaug

Slides MWSG200712-berkely-globus-sxlib-authz.pdf

12 AuthZ Interop: GT XACML library implementation and future plans

Speaker: Rachana Ananthakrishnan

Slides mwsgm.pdf mwsgm.ppt

13 AuthZ Interop: Discussion

Speaker: all

Friday 7 December

Session 3: Authorization continued

14 GP-Box: current role and future development

Speaker: Alberto Forti

Slides gpbox_mswg_berkeley.pdf gpbox_mswg_berkeley.pdf

15 Discussion on authorization service

Speaker: all

pictures OscarsDiagram.jpg

10:15 break

16 COmanage and GridGrouper

Speaker: Tom Barton

Slides 20071207-access-mgmt.pdf 20071207-access-mgmt.ppt

17 How virtual machine technology could make our client and server deployments more secure and resilient

Speaker: Frank Siebenlist

Slides TrustedVirtualizationMSWG120707.pdf TrustedVirtualizationMSWG120707.ppt

lunch break

Session 4: General security topics

18 CO-Manage and GridGrouper (cont)

Speaker: Tom Barton

19 VOMS migration to openSSL

Speaker: Andrea Ceccanti

Slides VOMS_migration_to_SSL.pdf

20 Security of VO schedulers

Large VOs are deploying their own schedulers which interact directly with Worker Nodes. This raises the question whether these schedulers should be considered as part of the core middleware. The goal of this presentation is to find out whether the MWSG should investigate the security implications of VO specific schedulers. If so, how should the group proceed? There was a long discussion of how to control connections between the worker nodes and the Internet. Christoph asked for reactions to some standardization of a sort of proxy facility that schedulers would go through to fetch jobs. Oscar dug up his slides from 2004 were he had proposed a facility for controlling connections to the Internet. Those slides are attached.

Speaker: Christoph Witzig

Slides Dynamic_Connectivity_Service.ppt.pdf Dynamic_Connectivity_Service.ppt.ppt

21 Proxy lifetime restrictions

Speaker: Mine Altunay

22 Update on Security Token Service (STS)

Speaker: Chad La Joie

Slides

• sts-update.pdf
• sts-update.ppt
• sts-update.ppt

23 Discussion, AOB