Betreff: Comments on the EGI blueprint Datum: Donnerstag, 31. Juli 2008 23:58 Dear Dieter Kranzlmüller, today David Groep made the EUGridPMA membership aware of the EGI blueprint and the deadline (today) for comments. Not having been able to react during the day and add to the EUGridPMA position - which I endorse without any restriction - I'm sending you some thoughts on specific items of the paper. First of all I deplore the mix-up of the security agenda, authentication and authorisation. The security agenda that EGI is concerned with consists mainly of providing the framework for the definition of best practice and security policies acceptable for the ERI and for the coordination of incident reports and reactions to them. I completely disagree with 5.1.1 (4) last sentence: The responsibility for a secure environment must always be with the sites - this is one of the bases of Grid computing. EGI or even the NGIs should never consider themselves as a super-administrator of Grid resources!!! EGI should provide the framework and support for European-wide coordinated security efforts. The authentication is between the communication partners, based on certificates issued by CAs whose operation rules are accepted as fitting for the relying parties. The security of CA operations is different from the Grid security aspects mentioned above. The definition of acceptable CA policies is the agenda of EUGridPMA and their partner authorities TAGPMA and APGridPMA. IGTF itself isn't an umbrella organisation of the CAs which are members of one of the 3 PMAs, but a federation of the PMAs. Therefore EGI or the NGIs should (can?) only interact with EUGridPMA and through it with IGTF. Authorisation based on the authentication of both consumer and provider, and on additional information about the authenticated partners. This extra information, termed attributes, are generated by Attribute Authorities located within the organisation to which the entity belongs or the VO concerned, or any external institution with knowledge about attributes of the authenticated entity. This is not a CA concern. Citizienship is one such attribute which is explicitly mentioned in the blueprint, but falsely related to the realm of X.509 certificates, whereas some Attribute Authority is responsible for issuing the necessary X.509 attribute certificates or SAML assertions. 8.3 mentions "the VO" insinuating that the EGI considers itself as a super-VO of the NGIs. This is surely not what EGI should be. If it means "a VO", then this should be corrected. EGI should not be allowed to restrict membership in a VO which also encompasses members of NGIs which are still members of EGI. Especially certificates issued by the CA in a country whose NGI decides to leave EGI should not be invalidated for the VOs related to EGI members. I also want to refer to David Groep statement about the necessity to recognise that a national CA need not automatically be organised by an NGI. A last point to a missing word: page 29 second paragraph: ... by more NGIs during the with the view of ... . I hope you'll give my comments some consideration. Best regards Willy Weisz -- ----------------------------------------------------------- Willy Weisz