Transcript PKI in Practice: The Ope

Michael Fenn
CPSC 620, Fall 09

Grid computing is the process of allowing

What does this mean?
loosely-coupled virtual organizations to
share resources over a wide area network.
◦
◦
◦
◦
◦

I’m at Prestigious University
I have some jobs
I want to run them
Well-known State University has idling computers
Grid computing lets me get my jobs there
(Foster, Kesselman and Tuecke, The Anatomy of the Grid:
Enabling Scalable Virtual Organzations 2001)

My usage is bursty
◦ Big paper deadline
◦ End of semester
◦ Etc.




Their usage is bursty
Our bursts don’t coincide
Let’s share
(Armbrust, et al. 2009)


Many grids, let’s pick one
2 realities
◦ Loosely federated Virtual Organizations (VOs)
◦ Loosely federated sites

2 elements of security
◦ Public Key Infrastructure (PKI)
◦ Web of trust model

A group of users who share a “common
interest”
◦ Definition of “common interest” is flexible

Examples:
◦
◦
◦
◦
High-energy physicists: ATLAS, STAR, CMS, Alice
Bioinformatics: CompBioGrid
Nanotechnology: Nanohub
Just learning: Engagement, OSG-EDU


Sites are collections of resources
Compute Elements
◦ Globus gatekeeper for authentication
◦ Batch scheduler (PBS, Condor) for getting jobs to
compute nodes
◦ Monitoring and accounting to keep the higher-ups
happy

Storage Elements
◦ Storage Resource Manager (SRM) for authentication
◦ Big bit bucket for storage
◦ Monitoring and accounting here too





Public-key
infrastructure
Users are affiliated with
VOs
VOs issue certificates
Sites trust certificates
issued by particular
VOs
Confidentiality and
Integrity are maintained


Sites choose which VOs
to trust
Resources also have
certificates
◦ Users can be confident
that the resource is what
it claims to be

Sites generally trust
the VO that issued
their cert
◦ This is not required
however!


3 main types:
VO-User trust
◦ VOs establish criteria for membership

Site-VO trust
◦ Factors in deciding whom to trust
 VO requirements
 Trust reciprocity

OSG-VO trust
◦ OSG maintains a list of trusted VOs
◦ Trusted VOs have their CA certificates included in
the OSG software distribution


Users have been “accredited” by a VO
If things do go wrong, I have his cert
◦ I know his name
◦ I know who vouched for him

VOs have incentive to maintain well-behaved
membership

OSG runs securely due to:
◦ PKI
◦ Web of trust

Flexible and scalable
◦ I don’t have to make a UNIX user account for
everybody

Users are still accountable

Thank you for listening!