As Grid computing technologies gain acceptance and adoption, the transition from highly specialized Grids with only a few institutional participants to a Grid environment with hundreds of institutions is becoming a reality. Security is of primary importance in the Grid and the support for secure communication, authentication, and authorization is a critical requirement, specifically in settings where sensitive data (e.g., patient medical information) must be accessed and exchanged. Also needed are mechanisms to establish and manage "trust" in the Grid so that asserted identities and privileges can be verified and validated with the required level of confidence. Within a collaboration, it is clear that the different institutions will have tiered levels of confidence in the users and service management policies of the various other institutions. While generally all institutions want to collaborate in some fashion, they will have services with varying security policy enforcement requirements. The interconnections, between clients and services that are able to securely communicate in the larger Grid, form conceptual overlays of trust, which we herein refer to as the "trust fabric" of the Grid. The figure shows an example trust fabric composed of four trust groups (Trust Groups A-D), over a worldwide Grid. The establishment, provisioning, and management of the trust fabric are critical to the scalability, maintenance and security of the Grid and other web service environments.
Many components of the Grid rely on having trust agreements in place. For example, when a user wants to access a service, she is authenticated based on an identity assigned to her. In the Grid, clients and services authenticate with one another using X509 identity certificates. Grid Identities are assigned to users by authorities. When a grid-identity is asserted by an authority in the form of an X509 identity certificate, it is digitally signed by that authority. Relying parties make authentication decisions based on whether or not the certificate presented is signed by a trusted certificate authority. Thus, authentication requires a trust agreement between the consumers of X509 identity certificates and the certificate authorities that issue them.
In a Grid environment, there may exist tens or even hundreds of certificate authorities, each issuing hundreds if not thousands of certificates. To make matter worse, in a dynamic multi-institutional environment, the status of identities may be updated frequently. Identities and credentials can be revoked, suspended, reinstated, or new identities can be created. In addition, the list of trusted authorities may change. In such settings, certificate authorities will frequently publish Certificate Revocation Lists (CRL), which specify "black listed" certificates that the authority once issued but no longer accredits. For the security and integrity of the Grid, it is critical to be able to perform authentication and validate a given identity against the most up-to-date information about the list of trusted certificate authorities and their corresponding CRLs.
Each institution normally manages its own security infrastructure with its own CAs, and all client and services within such an administrative domain needs to be configured to trust the local trust roots. If collaborations span administrative domains, then participating entities have to be configured to trust the trust roots defined in the different organizations within the limits of their own local policies. The required trust root configurations to participate in such Virtual Organizations (VO) are complex, error prone and security policy sensitive. By centralizing the configuration management and provisioning collaborating clients and services "on demand", one can ensure that the correct and up-to-date trust-root information is made available. In this scenario, the central provisioning server becomes a trusted entity itself, and clients need to be configured to trust its provisioning information. In order to facilitate the trust in the provisioning servers, they should be locally known to the clients, which requires local provision servers to aggregate and to front-end remote ones.
The Grid Trust Service (GTS) is a Web Services Resource Framework compliant federated infrastructure enabling the provisioning and management of a grid trust fabric. The salient features of the GTS can be summarized as follows:
- It provides a complete Grid enabled federated solution for registering and managing certificate authority certificates and CRLs, facilitating the enforcement of the most recent trust agreements.
- It allows the definition and management of levels of assurance, such that certificate authorities may be grouped and discovered by the level of trust that is acceptable to the consumer.
- The federated nature of the GTS, coupled with its ability to create and manage arbitrary arrangements of authorities into levels of assurance, allows it to facilitate the curation of numerous independent trust overlays across the same physical Grid.
- The GTS can also perform validation for a client, allowing a client to submit a certificate and trust requirements in exchange for a validation decision, which allows for a centralized certificate verification and validation.