Nice to meet you, authentically
We all know that authentication is a must when using grid resources but how much do we really know about it? Jens Jensen from the UK's Science and Technologies Facilities Council Rutherford Appleton Laboratory (STFC RAL) explains, using as a case history his own experience in working as part of that country's Certificate Authority - one of the largest in the world.
If you have ever used the grid, then you know that you "shake hands" with a resource using a certificate - a "digital passport" which identifies you to the resource. In turn, the resource also sends a certificate of its own to you (but which you will most likely see only if something goes wrong).
When you access any valuable resource, whether it's the grid or your bank account, you log in. This is partly to protect your own information, so others don't gain access to it when they shouldn't. It is also so the resource provider - such as the UK's National Grid Service (NGS) for example, or your bank - knows who you are. The resources are there for you, so the resource provider needs to know that you are accessing it and not someone else.
In the case of the NGS, authentication also helps us with reporting back to our funders because we can report usage to them with a clear picture of what individual users do. Think of authentication as helping to keep the service available for you.
Finally, we need to be able to contact you. This is partly to ensure that if you break the acceptable use policy, someone can ask you not to; if somebody steals your credentials, we can contact you.
Most "abuse," however, is unintentional. Say your grid job runs amok and uses up your entire CPU or storage allocation without you knowing it. We need to tell you when something goes wrong with your calculation - you know you want us to!
So how do I authenticate?
Traditionally, every user has accessed the grid with a certificate. This approach is widely used on the grid because it scales much better geographically than passwords. It offers better security, because it combines something you have (the certificate) with something you know (the password protecting the key), just like your bank card.
Certificates are sometimes difficult to handle, though: They are usually requested with browsers, often have to be exported, converted using what seems like arcane magic, copied to other locations, and so on. It makes sense to improve this process. If you have ever been frustrated by this process, look forward to trying out the new CertWizard, which is part of a major modernization of the UK e-Science Certification Authority (CA), scheduled to be implemented over the year. Some other grid certificate authorities are working with related technologies, including Canada, NorduGrid, and DutchGrid; the grid certificate authorities have a good track record of sharing experiences with one another, and are now taking steps to try to share experiences between developers as well.
Authentication - The Big Picture
You know that CAs issue certificates to people using grids, but you may be surprised to learn that they contribute to many other activities.
The most important of these is trust: It is important that the CA be trusted internationally, otherwise you could not use your certificate outside yoru own country. The equivalent would be a passport that you could use only inside your own country - useful for some things, but much less so than an international passport.
We also help other countries join the global certificate infrastructure with their new certificate authorities of their own - the idea is to have one CA per country or per large region. This is no simple task, because grids are peculiar in many ways, and certificates from a commercial CA cannot always be used.
CAs from new countries go, as we did, through a review process to assess whether their policies and operations meet the required standards. The UK CA has been instrumental in this process for many countries all over the world. Associated with this is the re-review process, where CAs are re-assessed every now and then.
The UK e-Science CA is an important contributor to this process, be it reviews or other support for new countries, documenting policies and processes, expanding trust, or furthering understanding of the foundations - contributions supported by both NGS and GridPP. So, although CertWizard is built specifically for the UK by the NGS, we hope other countries will eventually find it useful and adapt it for their own use, or even contribute to its development.
Formally, each grid CA is a member of a Policy Management Authority, or PMA, a body whose main responsibilities include the accreditation and review of national CAs, as well as the management of so-called authentication profiles - policies for creating and managing certificates which are "good enough" to be used internationally. These are the profiles which require you to manage your own private keys, and to bring photo id to someone, to get a certificate. Ultimately, the grids and the resources decide what is "good enough;" the bar is intentionally set relatively high because the certificates must be accepted all over the world, just like passports. The PMAs then mediate and establish trust between the international grids and all the national CAs, with the national grids being represented via their own CAs.
Interestingly, the grid is never static, and a vast range of often highly technical topics are hotly debated by members in regular PMA meetings, such as the practices of a new CA, changes to profiles and the impact of changing policies, current and proposed new practices, changes in technology, and much more.
There are three such PMAs in the world; one for the "extended EU" (covering the EU but reaching to Pakistan in the East, Canada in the West, and soon South Africa in the South). The other two cover Asia-Pacific and the Americas (North and South). The EU PMA is the oldest, arising from an EU DataGrid working group, so it historically covers somewhat more than just the EU.
The PMAs are formally united in the International Grid Trust Federation, or IGTF. The IGTF is in a sense independent, but its home is in the Open Grid Forum, (OGF). In total, the IGTF has about some 70-80 member CAs.
The US has a lot of members because it started doing certificates before the grids, so it has a lot of infrastructure which cannot be accommodated with a national CA. This is the exception, though.The grid infrastructure, both technically and procedurally, does not scale beyond one CA per country.
In summary, the grid CAs enable grid users to work together and identify themselves to each other and to resources across the world. They help foster trust and collaboration internationally, promoting the best use of resources. Like the grid, the global trust infrastructure is not static, and although the requirements for getting certificates are essentially set by resource policies, we are always looking for ways to improve usability without compromising security. The CertWizard is still in development, but it already manages MyProxy credentials, and we expect it to become users' essential tool for credential management.
-Jens Jensen, STFC RAL. A version of this story previously ran in NGS News, excerpted with permission.