TWiki
>
LCG Web
>
ResourceTrustEvolution
(2023-07-01,
MaartenLitmaath
)
(raw view)
E
dit
A
ttach
P
DF
---+!! WLCG Resource Trust Evolution Task Force %TOC% ---+ Introduction For many years, authentication in WLCG and related infrastructures and projects has relied on __trust anchors__ vouched for by [[https://www.igtf.net/][IGTF]], the Interoperable Global Trust Federation. For practical reasons, those anchors covered both users and resources, which has served us nicely for many years. However, as the use of client-side X509 certificates is cumbersome for users, preparations are being made for users to be able to switch to more modern and convenient authentication mechanisms that are gradually being adopted in academia and industry: federated identities and tokens. On the other hand, identity federation does not address a number of key server-side use cases, and the continued use of X509 certificates to authenticate _resources_ is in line with common practice. However, the IGTF portfolio of trusted certificate authorities (CAs) does not include several CAs that have become popular for various reasons and are trusted by browsers. Particular examples are [[https://letsencrypt.org/][Let's Encrypt]] and the CAs that come with commercial cloud providers. While such CAs have not been part of the IGTF bundle as they would not match existing security and assurance profiles, there is the perception of a gap widening between our traditional best practices and what is happening elsewhere in the digital world. As the __trust__ between parties ultimately underlies all WLCG activities, opting for extra convenience and practical benefits must not be done in a way that is detrimental to the trust, security and collaboration between parties. The relevant aspects between the various stakeholders as well as the impact on the trust model need to be discussed, in order to fully understand how we can advance together: experiments, sites, infrastructures, identity management, operations, security. Another important consideration is that most WLCG sites need to support other, separate, communities, on the same resources, usually through the same middleware. A change implemented for WLCG may thus affect other customers as well. The goal of this task force is to bring all stakeholders together to build consensus on the way forward. A short-term objective would be to see which CAs, if any, could be added to the portfolio and for which purposes. A possibly longer-term objective would be to see how cloud resources and workflows can be integrated such that the benefits greatly outweigh the additional risks. ---+ Communication * Mailing list: =wlcg-resource-trust-evolution= (at =cern.ch=) * You can contact =wlcg-resource-trust-evolution-admin= (at =cern.ch=) if you do not manage to subscribe. * Meetings: [[https://indico.cern.ch/category/68/][Security Group]] category * [[https://indico.cern.ch/event/1298419/][June 29, 2023]] - how to integrate cloud storage resources ---+ Documentation * [[https://indico.cern.ch/event/1225109/#4-status-of-the-resource-trust][GDB presentation]], 8 Feb 2023 * [[https://indico.cern.ch/event/1096032/#3-resource-trust-evolution-tf][GDB presentation]], 13 July 2022 * [[https://indico.cern.ch/event/1078853/contributions/4580733/][HEPiX Autumn presentation]], 28 October 2021 * [[https://indico.egi.eu/event/5464/contributions/15727/][EGI Conference presentation]], 20 October 2021 * [[https://indico.cern.ch/event/958640/#8-update-on-authn][MB presentation]], 14 September 2021 * [[https://indico.cern.ch/event/876793/#6-evolution-of-cas-for-wlcg-op][GDB presentation]], 8 September 2021
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r10
<
r9
<
r8
<
r7
<
r6
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r10 - 2023-07-01
-
MaartenLitmaath
Log In
LCG
LCG Wiki Home
LCG Web Home
Changes
Index
Search
LCG Wikis
LCG Service
Coordination
LCG Grid
Deployment
LCG
Apps Area
Public webs
Public webs
ABATBEA
ACPP
ADCgroup
AEGIS
AfricaMap
AgileInfrastructure
ALICE
AliceEbyE
AliceSPD
AliceSSD
AliceTOF
AliFemto
ALPHA
Altair
ArdaGrid
ASACUSA
AthenaFCalTBAna
Atlas
AtlasLBNL
AXIALPET
CAE
CALICE
CDS
CENF
CERNSearch
CLIC
Cloud
CloudServices
CMS
Controls
CTA
CvmFS
DB
DefaultWeb
DESgroup
DPHEP
DM-LHC
DSSGroup
EGEE
EgeePtf
ELFms
EMI
ETICS
FIOgroup
FlukaTeam
Frontier
Gaudi
GeneratorServices
GuidesInfo
HardwareLabs
HCC
HEPIX
ILCBDSColl
ILCTPC
IMWG
Inspire
IPv6
IT
ItCommTeam
ITCoord
ITdeptTechForum
ITDRP
ITGT
ITSDC
LAr
LCG
LCGAAWorkbook
Leade
LHCAccess
LHCAtHome
LHCb
LHCgas
LHCONE
LHCOPN
LinuxSupport
Main
Medipix
Messaging
MPGD
NA49
NA61
NA62
NTOF
Openlab
PDBService
Persistency
PESgroup
Plugins
PSAccess
PSBUpgrade
R2Eproject
RCTF
RD42
RFCond12
RFLowLevel
ROXIE
Sandbox
SocialActivities
SPI
SRMDev
SSM
Student
SuperComputing
Support
SwfCatalogue
TMVA
TOTEM
TWiki
UNOSAT
Virtualization
VOBox
WITCH
XTCA
Welcome Guest
Login
or
Register
Cern Search
TWiki Search
Google Search
LCG
All webs
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use
Discourse
or
Send feedback