Purpose:

• Investigate and propose a plan for implementing a common authentication mechanism for use by CERN services.
• Investigate and propose a platform independent mechanism to provide controlled access to objects (e.g. systems, files, web pages) for authenticated users.

The increasing number of login/passwords for accessing CERN computing services has become a source of frustration for the user community. Initiatives have been started towards a common login id, and in some cases synchronisation of passwords, across services. However, a common authentication mechanism across services would bring greater benefits, opening up the possibility for users, once authenticated, to access services based on their pre-defined access rights.

Technology (e.g. Kerberos v5, Certificates,  LDAP) is becoming mature and opening  up the possibility for a common authentication and authorisation mechanism. The CLASP (Common Login and Access Rights across Services Plan) project has been launched in this context and will complement the Windows2000 and Linux 2000 projects in defining the evolution of CERN's computing environment.

Goal:

The goal of the CLASP project is to propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use.

Scope:

    General:

• Access to CERN services from both on and off the CERN site (i.e. general Internet access) will be covered. CERN services refers to computing services offered by IT and AS Division.
• The plan will target access to CERN services by the general user community. Enhanced requirements (e.g. privileged access, access to sensitive data or systems) will be taken into account, but not constrain the final plan.
• The final proposal will specify what security levels can be achieved. No initial constraints are applied, but elimination of clear text passwords is desirable.
• It is not within the scope of this project to implement the plan. If necessary, a follow-on project will be launched.

    Tasks included:

• Investigate a common authentication mechanism for use by CERN services, with emphasis on the CERN Windows 2000 and Linux 2000 projects. Define the services which can be covered by this mechanism.
• For services not covered by a common authentication mechanism, propose how to reduce the number of login/passwords requested from users.
• Assess the impact of moving to a common login/password across existing (IT and AS Division) services and define pre-requisitites for its introduction on at least AFS and NICE. Include an opt-out mechanism to handle special cases where a common login/password across services is not desired.
• Propose a common password (check and change) policy for at least AFS and NICE.
• Propose a platform independent mechanism for controlling access to web pages and  AFS and NICE files. The design should be extensible to other objects.
• Analyse the impact of the proposed mechanisms on other sites and for users travelling between sites. Collaborate with other HEP sites towards the goal of simplifying access between sites for authenticated HEP users.

Project Phases:

• Phase 1: Service Survey and Feasibility Study (further details below)
• Phase 2: Final proposal and Detailed Plan (further details will be defined by Phase1)

Phase 1: Service Survey and Feasibility Study

Goals:

• Document the current login/password mechanisms used on IT and AS services
• Assess the feasibility of Kerberos v5 and/or other technology as a common authentication mechanism for the planned Windows 2000 and Linux 2000 environments
• Investigate possibilities for platform independent authorisation
• Propose next steps, including personnel and budget estimates for Phase 2

* Definition of the word "clasp": An object used to link together two materials

This document was last updated on Tuesday, 07 December 1999

[ Home ] [ Mandate ] [ Services Survey Blueprint ] [ Feasibility Study Blueprint ] [ Useful links related to the CLASP project ]