Summary of Cross-Site Authentication and Authorization Panel Workshop for Operational Security at GGF12, Brussels

September 20th, 2004

The second session of the Workshop on Operational Grid Security at GGF12 was on cross-site authentication and authorization. The four panelists where:

The session chair, Von Welch from NCSA, requested that the panelist present a brief overview of the respective project and then focus on issues encountered and innovative solutions being applied.

Mike Helm presented the ESnet RADIUS Authentication Fabric project. This project is implenting the use of a hierarchical RADIUS fabric to provide identity federation between DOE laboratories, with ESnet providing a root to allowing routing of authentication requests and ease addition of new labs. This project is driven by the need to support one-time passwords in a coherent way between sites. He mentioned a number of issues still to be deal with, including reliability, application integration (PAM looks promising), name management, and concerns about the RADIUS protocol.

David Groep discussed the EUGrid PMA project which manages authentication guidelines for most of eurpean project minimum requirements in four areas: identity checking, physical security, naming, and revocation. David raised a number of issues during his presentation:

Yoshio Tanaka described experiences with the AP (Asian Pacific) GRID PMA. He described this project as a "grass-roots" organization, in which many members has little interest in security and are happy with running simpleCA without a CP/CPS and relying solely on reputation.

Rebekah Metz presented a summary of the Liberty Alliance project, a business-oriented project whose goals aree to proivde an open standard for federated identity management to allow for secure single sign-on. She raised the issues that legal issuea are major hurdles surrounding federation - what are the accountabilities and liabilities to all the parties involved?

Audience Discussion

One issue that was raised was the motivation for a CA to live up to high standards (or at least those promised in its CP/CPS). In a business climat, market forces would be the answer in an ideal world, but for most of the scientific Grids today, reputation is the prime motivator.

The importance of revocation was discussed at length. Different projects seem to address it to different degrees from ignoring it, to distributed CRLs which go largerly unused, to requiring CRL use. The issue was raised that there is no defnedable test today for whether a certificate has been compromised. The question was raised "Why not revoke on any suspicious on compromise?" Several responded that revocation has significant real-world costs in terms of personnel time and user dissatifaction, as well as the amount of erronuous information circulating during incidents. One audience member suggested that authorization was the appropriate route to deal with revocation due to the lack of relationship between CA and relying party.