WLCG Resource Trust Evolution Task Force


For many years, authentication in WLCG and related infrastructures and projects has relied on trust anchors vouched for by IGTF, the Interoperable Global Trust Federation. For practical reasons, those anchors covered both users and resources, which has served us nicely for many years. However, as the use of client-side X509 certificates is cumbersome for users, preparations are being made for users to be able to switch to more modern and convenient authentication mechanisms that are gradually being adopted in academia and industry: federated identities and tokens.

On the other hand, identity federation does not address a number of key server-side use cases, and the continued use of X509 certificates to authenticate resources is in line with common practice. However, the IGTF portfolio of trusted certificate authorities (CAs) does not include several CAs that have become popular for various reasons and are trusted by browsers. Particular examples are Let's Encrypt and the CAs that come with commercial cloud providers. While such CAs have not been part of the IGTF bundle as they would not match existing security and assurance profiles, there is the perception of a gap widening between our traditional best practices and what is happening elsewhere in the digital world.

As the trust between parties ultimately underlies all WLCG activities, opting for extra convenience and practical benefits must not be done in a way that is detrimental to the trust, security and collaboration between parties. The relevant aspects between the various stakeholders as well as the impact on the trust model need to be discussed, in order to fully understand how we can advance together: experiments, sites, infrastructures, identity management, operations, security. Another important consideration is that most WLCG sites need to support other, separate, communities, on the same resources, usually through the same middleware. A change implemented for WLCG may thus affect other customers as well.

The goal of this task force is to bring all stakeholders together to build consensus on the way forward. A short-term objective would be to see which CAs, if any, could be added to the portfolio and for which purposes. A possibly longer-term objective would be to see how cloud resources and workflows can be integrated such that the benefits greatly outweigh the additional risks.


  • Mailing list: wlcg-resource-trust-evolution (at cern.ch)
    • You can contact wlcg-resource-trust-evolution-admin (at cern.ch) if you do not manage to subscribe.

  • Meetings: TBD


Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r8 - 2021-10-28 - MaartenLitmaath
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback