|
The security of the MyProxy service is of paramount importance to the MyProxy Team. Below we detail our efforts and procedures regarding MyProxy security. Contents
Vulnerability HandlingAs a Globus Toolkit project, the MyProxy Team participates in the Globus vulnerability handling process. Vulnerabilities may be reported via:
MyProxy security advisories are released via email to: Please join one or both of these mailing lists to receive MyProxy security advisories. Advisories
Independent Vulnerability AssessmentThe Middleware Security and Testing (MIST) project performed an independent vulnerability assessment of the MyProxy software and found no major security vulnerabilities. The few issues found were minor and "did not compromise the certificates and their passphrases managed by MyProxy." The report credits the simplicity of the MyProxy system design and development model for the small number of issues that were found. For more details, see: The MIST project also performed a vulnerability assessment of OAuth for MyProxy (version 1.0.5) and found no major security vulnerabilities. For more details, see: IGTF AccreditationThe MyProxy CA meets the requirements of the Short Lived Credential Services X.509 Public Key Certification Authorities Profile of The Americas Grid Policy Management Authority, a member of the International Grid Trust Federation. The NCSA MyProxy CA, PSC MyProxy CA, NICS MyProxy CA, and NERSC Online CA have been accredited under the Profile. Server RecommendationsPlease choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
Last modified
03/09/16. |