Last updated: January 23 2007 10:40:53
Task 2.2 Certification authorities and Virtual Organizations  

This task will provide the basic building blocks for authentication and authorization (collectively called identity management) ensuring secure testbed operation. The authentication mechanisms of the grid middleware to be deployed in the Pilot Testbed will be based on public/private keys in compliance with the X.509 standard. This is called a certificate. A trusted internationally recognized party must issue each certificate. The recognition is necessary to enable the worldwide acceptance of certificates hence making them usable in other grid initiatives such as EGEE.

The authorization mechanisms of the grid middleware to be deployed in the Pilot Testbed will be based on public/private keys and the concept of Virtual Organizations (VO). VO support will require a set of dedicated central services that will include workload management systems, replica location services, and specially the authorization membership management.

OBJECTIVES AND DESCRIPTION

This task aims to coordinate the deployment of a grid Certification Authority (CA) infrastructure that will be responsible for the issuance of certificates for users, hosts and services in Latin America. For this CA to be recognized, it will have to pass through a thorough international acceptance process conducted by the EUGridPMA. Moreover, Task 2.2 will share the necessary know-how between LA and European partners, fostering partners’ local initiatives. Once deployed the CA operation will be verified and continuously monitored.

This task will also address the needs for implementation of Virtual Organizations, such as Virtual Organizations Management System (VOMS), Workload Management System (WMS), and Replica Location Services (RLS) and support for dissemination and application users, like HelpDesks, User Interfaces and Portals (Task 2.3 and 2.4 will share some of these activities in order to maximize resource usage. The decision will be made in the Project execution plan.)

Grid certification authorities have been deployed in most European countries in the context of several European Union projects. These CAs are now coordinated by the EUGridPMA group, which is constituted by CA managers and experts in authentication and security fields. Based on the experience obtained in Europe, EELA proposes to deploy a similar trusted authentication solution for Latin America. The EELA partners that are already members of EUGridPMA will provide support for this effort.

Currently only a few users in Latin America have valid grid certificates acceptable in Europe, these have been issued by the European catchall CA operated by CNRS. The first step will be to investigate the possibility of deploying a catchall CA for Latin America hence enabling easier access to certificates by the project partners. This action will be accompanied by a study of the deployment model for Latin American national CAs following the EUGridPMA model. The actual deployment will include the establishment of the policies and practices to be followed by each CA and that will be detailed in the Certification Policy (CP) and in the Certification Practice Statement (CPS) documents. A careful review will be performed in these documents in order to enforce their compliance with the EUGridPMA minimum requirements. The policies will then be submitted for evaluation and acceptance to the EUGridPMA. The EELA European partners will provide guidance during this process. Once the CAs are accepted the technical work will begin, this will include choosing and deploying CA software management tools and interfaces, as well as creating all the necessary registration authorities in each country. Risks associate with this task can be reduced thanks to the experience of the European partners.

Two centres will be established in Latin America and Europe to provide support to CA managers, CA users, VO managers and VO users in subjects related with certificates and authentication.

The EELA project will support and generate Virtual Organizations in specific application disciplines proposed by the consortium in order to perform the dissemination activities and application exploitation. The VO support will require a set of dedicated central services that will include workload management systems (WMS), replica location services (RLS), and specially the authorization membership management (VOMS).

As a specialization of CIC Centres, inside EELA two redundant “Virtual Organization Centres” will support all these activities. These Centres will in practice share with GOC/ROC infrastructure centre the deployment of WMS, VOMS, and additionally a support Centre must be setup. This task will be handled by LIP and CSIC in Europe and by REUNA and UFF in Latin America, with operational support from CERN and RED.ES.

EXPECTED RESULTS

EELA will accomplish the successful deployment of a PKI authentication infrastructure in Latin America interoperable with European grid projects. The task will provide a reliable support network for CA and VO related issues.

PARTICIPANTS