SHA2 certificates

We have started to issue certificates with the "new" more secure algorithms, SHA2 (or to be precise SHA256) - basically, it means that the hashing algorithm which is a part of the signature is more secure against attacks than the current SHA1 algorithm (which in turn is more secure than the older MD5).

But only to a lucky few, not to everybody.  And even they get to keep their "traditional" SHA1 certificates alongside the SHA2 one if they wish.

Because the catch is that not everything supports SHA2.  The large middleware providers have started worrying about supporting SHA2, but we only really know by testing it.

So what's the problem?  A digital signature is basically a one-way hash of something, which is encrypted with your private key: S=E(H(message)).  To verify the signature, you would re-hash the message, H(message), and also decrypt the signature with the public key (found in the certificate in the signer): D(S)=D(E(H(message)))=H(message) - and also check the validity of the certificate.

If someone has tampered with the message, the H would fail (with extremely high probability) to yield the same result, hence invalidate the signature, as D(S) would no longer be the same as H(tamper_message).

However, if you could attack the hash function and find a tamper_message which has the property that H(tamper_message)=H(message), then the signature is useless - and this is precisely the kind of problem people are worrying about today, for H being SHA1 signatures (and history repeats itself, since we went through the same stuff for MD5 some years ago.)

So we're now checking if it works. So far, we have started with PKCS#10 requests of a few lucky individuals; I'll do some SPKACs tomorrow.  If you want one to play with, send us a mail via the usual channels (eg email or helpdesk.)

Eventually, we will start issuing renewals with SHA2, but only once we're sure that they work with all the middleware out there... we also take the opportunity to test a few modernisations of extensions in the certificates.

Kick off - it's time for the NGS summer seminar series

In the midst of this summer of sport another event is kicking off soon but this time it's the NGS Summer Seminar series.

The first seminar will take place next Wednesday (20th June) at 10.30am (BST) and will give an overview of how accounting is done on the grid, and what it is used for.  It will cover the NGS accounting system at a high level and then go into more detail about the implementation of APEL, the accounting system for EGI, including the particular challenges involved and the plans for development.

The speaker will be Will Rogers from STFC Rutherford Appleton Laboratory who I'm sure would appreciate a good audience ready to ask lots of questions!

Please help spread the word about this event to any colleagues or organisations you think might be interested.  A Facebook event page is available so please invite your colleagues and friends!

What does the NGS do for Europe?

Quite a lot actually is the answer!

The NGS will be hosting a second seminar series this summer and the theme of the 3 seminar event focuses on the services that we provide for the European Grid Infrastructure (EGI).  As with last time, the seminar series will be held using EVO allowing people from all over the world to participate in the seminar and to quiz the presenters.  The details for this series are -


20th June - Grid Accounting and APEL
This talk will give an overview of how accounting is done on the grid, and what it is used for.  It will cover the NGS accounting system at a high level.  It will then go into more detail about the implementation of APEL, the accounting system for EGI, including the particular challenges involved and the plans for development.

27th June - GOCDB, the NGS and EGI 
This talk will cover a brief overview of the functionality provided by GOCDB, the official repository for storing and presenting EGI topology and resources information. The seminar will explain how it is used within the NGS, recent developments, useful features on the future roadmap and a chance to ask questions about the system. There will also be a short overview of how GOCDB is used in the context of the EGI project.

4th July -  The Training Marketplace
The Training Marketplace is a one-stop shop for training developed by STFC and the EGI InSPIRE project. Here you will find information about classroom-based training courses and online training materials including a repository containing thousands of resources. You can also search for PhD or MSc courses, or for resources for trainers such as a Training CA. The Training Marketplace equally allows you to advertise and a freely available gadget enables you to customise and embed the Training marketplace in your own website. This seminar will talk you through the Training Marketplace and demonstrate how you can embed a customised version of a training calendar, map or repository in your own website.

If you are interested in attending any of these online seminars then please see the webpage for further details and how to join in online.  There are also Facebook event pages available for each seminar series to help you inform interested colleagues and to invite them along.

Are you a molecular modeller?

Two free training events announced in the space of 2 weeks?  Don't say we're not good to you!

Incase you missed it, last week I announced that we were accepting applications for our "Using e-infrastructure for Research" summer school which will be held in August.  It's completely totally and utterly fully funded so there is absolutely no cost to the participants.  More information can be found on our website.

However the latest event I have to tell you about today is being organised by one of our Community Champions who is funded through the same project as the above summer school - Supporting e-Infrastructure Uptake through Community Champions for Research (SeIUCCR) funded by EPSRC.

Dr Pamela Greenwell, who is based at the University of Westminster, has organised a 3 day training event entitled "Biobytes", a molecular modelling event for bioscientists.  It's a 3 day event held at Westminster consisting of breakout groups, seminars, demos and practical workshops.

For more information and details on how to register, see the event page on the NGS website.  Don't delay as spaces are limited!

Fully funded e-infrastructure summer school anyone?

Yes it is that time of year again.  I've spent this morning opening registration for the 2012 SeIUCCR e-infrastructure summer school.  Why a whole morning you may ask?

Well by the time you've double and triple checked the registration form, put the web page live, sorted out the Facebook event page, written the advertising blurb, put together the news bulletin containing the announcement and tidied up another 101 loose ends, it takes a while!

The summer school is taking a similar format as last years successful event.  It will run from lunchtime Monday to lunchtime Thursday with a mix of presentations, hands on and consultation sessions.  It will cover cloud, grid and other e-infrastructures to ensure that attendees gain the widest possible knowledge of e-infrastructure in the UK.

The summer school is primarily aimed at UK engineering and physical science PhD students and post docs but researchers from other disciplines can also apply.  The school is fully funded including meals, accommodation and travel - all you have to do is tell us of a problem or issue in your research that could potentially be tackled by the application of e-infrastructure!

For more information and to apply for a place visit the event webpage.

Renewals available now!

Hopefully you'll have already seen the announcement on one of our many communication channels such as our website, Facebook page or Twitter feed but if not then read on.

Many of you will remember the changes we brought in last year in April 2011.  Due to funding restrictions, we had to reduce the CPU allocation of all users to a maximum of 2000 free cpu hours in one year.  You can read the original announcement on our website.  As we are now a year on, all NGS users can apply for another free 2000 cpu hours.

If you are looking for some proof of concept computing, a "sand pit" area for your PhD students or to test concepts before purcahsing more hours etc then this is an ideal opportunity.

If you have any queries at all then don't hesitate to contact the NGS helpdesk.

"hello, science\n"

It is worth pondering how scientific programming is different from other programming. Last year I gave an introductory talk on specialised languages used for science (in which I include Fortran but mainly covered R, APlus, and suchlike). How do you do "hello, world" in science?  It has to be floating point, so I picked calculating the length of a vector.

Let's just digress for a second to do that. Say I want to calculate the length of (v_i); I can then start with s=0 and loop over i, adding v_i², and finally take the square root of the sum:

my $s=0; foreach (@v) {$s+=$_*$_;} return sqrt($s);

Or we can do it more functionally, creating a new vector of squares ("map"), the elements of which are then added together ("reduce"):

(sqrt (reduce #'+ (map 'list (lambda (x) (* x x)) v)))

... which is the origin of the MapReduce paradigm, but it has the disadvantage of creating a temporary copy (here a list) of the squares. But. If you are doing them in parallel, with each task squaring its own entry (which you might if v is large), in this case you do need to keep the intermediate results anyway.

Then there are questions of precision and suchlike, for which David Goldberg's paper is still one of the best introductions. This is in contrast to "normal" programming, where one should read Zen and the Art of Motorcycle Maintenance (but see also 10 papers).

We can then ask how science use of * is different from normal use of * (where * is anything). Do scientists use the cloud in a different way from non-scientists?

With this in mind, JISC and STFC co-organised a workshop on scientific computing in the cloud (and grids.) Funded by EPSRC, and with about 75 registered participants and 15 speakers from the UK and beyond, it focused on the science use of cloud (and grid) resources. There were a number of discussions on cost effectiveness, cost models, and the true cost of doing science in clouds compared to your own (university's) resources. How careful should you be about putting your data "in the cloud" - and here we are just talking about analysis of data, not long term storage. How do you convince sceptical users?

It seems that some of the lessons learned from the grid carry over to the cloud world: the use of gateways and portals is a useful way to get researchers started using the cloud, but then someone needs to build these things for the research communities - and they will in general be domain specific. And building these cannot just be a proof of principle; they have to be production ready and supported.

Of course e-scientists have scientific applications, specialised libraries, and repositories of libraries - and every e-science programmer should know their BLAS and LAPACK... on the other hand, the presence of gateways and portals brings hope to the "ordinary" researchers who want to make the most of the brave new world of the fourth paradigm but are not themselves programmers and choose (rightly) to focus on their science.

Science use of clouds may have learnt from science use of grids, but clouds also introduce new issues. We agreed at the workshop that it was worth pursuing the case studies. There was no single "pain point" for everyone, but everyone learnt from each other. Supporting scientific research in the clouds (and grids) is a research topic in its own right, bringing together computing, science, best practices, usability, security, performance, and more - and as long as we continue to share experiences, the researchers who use the infrastructure will benefit.

NGS at the EGI Community Forum, Munich

You can tell it’s been conference season over the past few weeks – lots of travelling, lack of sleep and notes written in cryptic language on my laptop from various sessions and presentations.

The EGI Community Forum was held in Munich, Germany at the end of March and consisted of 4 days of conferencing and various workshops on the Monday morning.  As well as helping to look after the UK NGI exhibition stand, I also attended a wide variety of interesting sessions including:

• Sustaining the EGIInfrastructure
• Impact of e-Infrastructures: Theories and practices ofassessment methodologies
• Community-tailored Services
• Communication: the key to future funding

Each session had its highlights – the EGI session looked at how to count the number of users that EGI actually has.  They attempted to do this through the use of VOMS (Virtual Organization Membership Service) but there were problems with the information contained being out of date or indeed missing in some cases, not all users being registered, expired users still being in the system and many more.  However at the end of the day they did eventually come up with a definitive figure which was as accurate as possible on the day it was calculated – 20706.

Also in this session was a presentation from the German national grid – D-Grid.  They presented on a business model for a sustainable Grid infrastructure.  The slides from this session are definitely worth a look for anyone interested in the next stage of national e-infrastructure.

I also presented on the NGS Campus and Community Champion initiatives at the NGS in the session on Communication.  To save me telling you all about it, I’m instead going to provide a link to a blog post written by Elizabeth Leake who wrote about her take on the session and my presentation.

A big congratulations to the local organisers who did a fantastic job – great venue and great food as well as inbuilt entertainment in the conference venue.  You may have to join our Facebook page to see evidence of this coming soon!

Munich was another great EGI event and we’re already planning and looking forward to the next one which is the EGI Technical Forumin Prague in September. 

Doing a lot of talking about software

Recently I attended the Software Sustainability Institute Collaboration Workshop (CW) which was held in a very sunny Oxford for 2 days.  It was a busy workshop for me due to being on the steering committee, being part of the events team, chairing a session, giving a lightning talk and scribing for some of the sessions as well!

If you’ve never been to a CW before then the best way to describe it is a conference but not as you know it!  In most conferences people sit and listen to one person giving a demo or PowerPoint presentation at the front of a lecture theatre.  At a CW people pick the topics they want to discuss and head off into break out rooms to have stimulating and interactive discussions about these topics.  Everyone then reconvenes in the main lecture theatre and all the groups report back to inform all delegates of the points and issues raised as well as some possible solutions!

However before the breakout sessions there were some lightning talks – short presentations done against the clock.  Simon Hettrick from SSI makes sure that there are no misunderstandings as a large countdown timer is projected up on the screen along with the one and only slide you are allowed.  I have done lightning talks before at SSI events but this time Simon had raised the bar by only giving each delegate a mere 3 mins.  As I had to present on both the Campus and Community champs in this time it was a tall order but I made it – just!

After the adrenaline rush of the lightning talks we moved onto the more sedate business of breakout sessions.  During the two days I attended several sessions -

•    Building research and communication networks across disciplines
•    How to blog, and how to run a blog 
•    Bringing together representatives of the research community: Institute's Agents and SSAs, and the SeIUCCR Community and Campus Champions
•    Using the internet and social media to increase your impact and publicise research to the public and research community 

From each of these sessions the 5 most important points learnt during the session were recorded and reported back along with -

•    What are the problems, and are there solutions?
•    What further work could be done, and who should do it?
•    Are there any useful resources that people should know about?

All the notes from all the sessions are available through the Collaborations Workshop 2012 Google Group – you don’t need a Google account to view the information.  They make for some very interesting reading particularly if you are a research software engineer or a researcher who uses software!

Photos from the event are also available which prove just how nice the weather really was before we descended back into winter this week!

Radio silence

It's gone a bit quiet over here at the NGS blog lately mainly because I was completely caught up in writing a bid which took over my life for a few weeks.  As it was all I did for a couple of weeks I didn't have much to blog about.  Hopefully the bid will be successful and we'll have some exciting news for you in the near future!

Apart from that I have been working with colleagues at SSI in preparation for their Collaborations Workshop which will take place on the 21st - 22nd of March.  There has been a great response with maximum attendance and a great range of people attending.  One of the purposes of the workshop is to get researchers and software engineers working networking to find where they can help each other out. There aren't many conferences out there where the aim is to get everyone talking to each other all day instead of just a few people doing the talking!

In completely different news I just posted an article to the NGS website from EGI.  The EGI are showcasing their users research much the same as the NGS user case studies do (wonder where they got the idea from...?).  They are doing their case studies in the form of video interviews and the first one focuses on the research of Henry Hocking of the CONCO project who used the grid to analyse naturally occurring molecules in venoms used by marine snails to immobilise their prey.  You never would have guessed that one!

On email addresses in distinguished names

Those of you who are sysadmins know we have email addresses in host certificates, in their distinguished names (DNs).  The origin of this decision is lost in the mists of time - it certainly pre-dates the UK e-Science CA - I seem to remember something about host certificates being used as clients and the email address of the contact appearing in the log file, as a forerunner of "robot" certificates - which can't quite be right because initially we did not give host certificates client extensions. But hosts have been used in this way to implement portals.

In any case, the practice is now deprecated, mainly because much of our software (strictly speaking incorrectly) depends on the string representation of the DN, and different software stringifies emailaddress in different ways. We have been meaning to get rid of it for a while, waiting only for some code changes and an update to the policy.

In fact the policy needs updating because in a (very small) number of cases we are doing things that are not consistent with the policy - but which are nonetheless wholly consistent with IGTF. Actually the only examples I can think of is that we have permitted two "software robots," a practice which is permitted by IGTF now but wasn't when our policy was written.

The proposal is now that we remove email addresses from DNs, before the policy rewrite is finished (its about 2/3 done since you ask.) Removing email addresses is clearly consistent with IGTF, but deviates from our historical practice of  preserving the end entity DN across all generations of CA certificates. Having an out of date policy is of course not consistent with IGTF...

The trouble is, how do we know whether people depend on the email address in the DN?  We have no way of knowing how the certificates are being used. Of course we could take the approach that if the certificate is being used for unsupported purposes, then you're on your own. OTOH, we have usually strived not to do that, even if grid software makes that quite difficult (see GFD.125 again, or every rollover).

So we need to leave it to the "owner" of the certificate to decide. The easiest way of doing this is JK's proposal, that we remove email address from new certificates, but keep them on renewal. For host certificates, getting a new certificate is often the same amount of work as a renewal.  Existing certificates are not affected but if you want your certificate to be affected you could revoke it and get a new one.

And of course all this applies only to hosts, there is no change for personal certificates.

Bits and pieces

It's been one of those weeks with a lot of bits and pieces going on.  Busy and varied is how I'd probably sum it up!

Tuesday was the NGS Collaboration Board meeting which was held at the University of Birmingham thanks to the kind hospitality of Paul Hatton.  The theme of the meeting was reaching out and engaging with potential new communities and existing user communities.  Mike Jones gave a presentation on SaRONGS to show how we are making it easier for people to access grid resources and I gave a presentation on the Campus and Community Champions networks.  Following on neatly from my presentation was Rebecca Notman who is one of our Community Champions.  Rebecca spoke about her role and how the NGS has played a part in her research.  There was also plenty of time for discussion with each of our Collaboration Board members updating us on new and activities from their institutions.  It seems to be a busy time in the world of research computing!

Wednesday was the next seminar in our short series.  This time it was the turn of John Kewley from STFC Daresbury who is the NGS helpdesk manager.  After a few technical issues, John spoke about the Certificate Wizard - a tool that the NGS produced to help people manage their grid certificate more easily and it seems to have worked.  There have been less helpdesk queries regarding certificates since the introduction of the tool.

Yesterday morning I took part in the steering group for the forthcoming Software Sustainability Institute Collaboration Workshop.  This is always a really enjoyable conference as it's 2 days of full interactive discussion and networking.  If you go to a conference to get peace and quiet to read your email then this isn't for you!  Every session is a group discussion session apart from when the groups report back to the conference as a whole.  There are some really interesting topics for discussion this year, all of which have been suggested by the attending delegates.  If you would like to attend and you are a software developer then have a look at this as you may be able to get a free place and a contribution towards your expenses.

One down two to go

Yesterday saw the first presentation in our short seminar series concentrating on the recent developments in the UK for accessing and managing grid resources.

I'm pleased (and relieved!) to say that it went well with Mike Jones from the University of Manchester giving a presentation on "Shibboleth Access to Resources on the NGS".  We had 28 individuals join us on Evo from all over the world including Russia, Italy, USA and Switzerland.  It was good to see that our seminar was of interest to people internationally as well.

The next seminar will take place on Wednesday 8th Feb at 10.30am (GMT) and will be looking at the Certificate Wizard which makes it easier for users to manage their certificates.  If you would like to take part in the seminar either by Access Grid or Evo then please see the event listing on our website.  You can also RSVP on our Facebook event page.

The seminars have been recorded and it is our aim to have these recordings available on the NGS website at the end of the seminar series.

Interested in accessing and managing grid resources?

If so then read on!

The NGS is hosting a short but sweet seminar series starting next Wednesday (1st Feb).  There will be 3 seminars over the 3 weeks each lasting approximately 30 minutes and the best thing about them is that you can join in no matter where you are - all you need is the internet!

We wanted to make the seminars as open to everyone as we possibly could and, after some deliberation, we decided to use the Evo technology.  This is free for everyone to use - all you have to do is to register and I recommend doing this at least the day before.  This isn't anything to do with Evo's registration process more that it took several hours for my university email system to allow my confirmation email through...

So what are the topics that we will be discussing?

1st February - Shibboleth Access to Resources on the NGS – Mike Jones, NGS, University of Manchester
This talk will demonstrate how it is possible to access and use NGS resources using institutional login credentials (via the UK Access Management Federation).  It will describe how the UK's two main e-Science authentication systems are combined to form an easy to use yet robust identity management environment.  It will discuss how this mechanism links together with system, project and Virtual Organisation (VO) registration procedures.

8th February - Certificate Management in the UK - John Kewley, NGS, STFC Daresbury Laboratory
The NGS helpdesk receives many tickets relating to certificates (and certificate renewal in particular): largely due to browser incompatibilities.  In order to tackle this problem, the NGS has devised CertWizard which is a browser-independent certificate tool.  The presentation will give an introduction to the UK e-Science CA, which has issued over 30,000 certificates, and its associated software and interfaces, including CertWizard.
It will show how modernisations are being made at various stages of the certificate lifecycle, making it easier than ever for users to manage their e-Science Certificate.

15th February - Moonshot - next generation federated identity - Josh Howlett, JANET
Federated identity yields significant benefits for users and services by increasing the usability of services, reducing identity management costs and improving regulatory compliance.
A number of different technical strategies for federating identity have emerged during the past decade, with differing levels of success. These technologies address different types of use case, resulting in significant complexity for both users, services and trust infrastructure providers.
This complexity impedes the adoption of services and increasing operational costs. Moreover, there are many use cases where these technologies do not provide a solution.
Project Moonshot is an ambitious Janet-led initiative, building on existing deployed technologies, that aim to develop a single unified and standardised approach that satisfies all of the authentication and authorisation requirements of the education & research community. Much of the technology has now been implemented, and is now being tested within the Janet Moonshot Technology Pilot.
This presentation will provide an overview of some of the motivating use cases for Moonshot and an overview of the technology and the implementation.

Full details of how to join the seminars are available on the NGS website event page but if you have any queries then please contact the helpdesk and we will do our utmost to help you join in.

It's that time of year again...

My inbox seems to be full of emails regarding conference calls for papers, early bird registrations, conference deadlines etc.  Yes it's conference preparation season and its in full swing!

I received confirmation today that I'll be giving a paper at the forthcoming EGI Community Forum on our champions networks.  I'll be talking about both our Campus and Community champion networks and how we work with each other to promote e-infrastructure in the UK.  Several other NGS staff have also had papers accepted on topics including "Linking Authenticating and Authorising Infrastructures in the UK NGI (SARoNGS)" (Mike Jones) and "Tweaking the Certificate Lifecycle for the UK eScience CA" (John Kewley).

Also in my inbox this week was an announcement from the Software Sustainability Institute (SSI) announcing that registration for their Collaboration Workshop 2012 (CW) is now open.  This is on of my favourite events as, unlike most conferences, you don't sit passively listening.  The CW consists of breakout groups where you discuss topics submitted by the attendees and there's always one of interest to me in every session.  After the discussion a member of the break out group volunteers to report back to the CW as a whole.  This means that you get to hear what all the other break out groups were talking about and you can still feedback on their outcomes as well. 

It's a really lively meeting and you leave after 2 days feeling tired but feeling that you've achieved something worthwhile!  It's also a great place for networking with new people as there are researchers from a wide variety of research areas, IT people, community support people and people like myself who represent national initiatives.  To see some of the topics already suggested for discussion visit the event website.

Just incase you missed it....

A new edition of the quarterly NGS newsletter was released in December so if you missed it in the pre-Christmas rush, now is a chance to catch up!

This edition featured articles on -

• the adoption of Globus Online by the NGS
• NGS involvement in the EGI Federated Cloud Task Force and the benefits for NGS users
• NGS user case study - Scalable Road Traffic Monitoring using Grid Computing
• ...and more!

I am always looking for new articles or suggestions for articles for the newsletter so if you have anything you would like to see in the next edition (March) then please let me know.  The next edition will coincide with conference season so copies of the newsletter will be distributed at the forthcoming SSI Collaboration Workshop and the EGI Community Forum.

Happy new year!

I hope you all had a good Christmas and New Year break.

It's back to work and planning for the future here at the NGS with several future events on my to do list. 

At the end of last year I finished off the last of our user case studies which highlight how our users have used NGS resources and the advantages it has brought them.  The full set of case studies numbers 29 with the latest arrivals listed below -

• Using the NGS to run a computer tournament on social learning strategies - Luke Rendell, University of St Andrews

• Accelerating the Processing of Large Corpora: Using Grid Computing Technologies for Lemmatizing 176 Million Words Arabic Internet Corpus - Majdi Sawalha, University of Leeds

• Computer Simulations of Biological Molecules at the Atomic Level - Sarah Harris, University of Leeds

The next set of case studies are at the planning stage but these will take a slightly different direction.  The next set of case studies will look at how the NGS is working with large national and international projects to fulfill their objectives. 

Also on the horizon is Easter conference season with several events coming up including the EGI Community Forum which will take place in Munich in March.  Several NGS staff have submitted abstracts to this event highlighting work we have carried out in various areas including champion networks, authorisation and authentication.

The week before Munich is the Software Sustainability Institute Collaboration Workshop which you may remember from previous years.  This year the event will be held in Oxford and the NGS is involved in several ways including holding a session for our SeIUCCR Community Champions.  Watch this space for more information!

Apart from attending other organisation's events I have one of our own to organise.  Following the success of last years SeIUCCR e-infrastructure summer school, we will be holding another summer school this year.  After the deluge of applications we had last year, I am planning to advertise earlier this year to give a little more time to go through all the applications!  Again keep an eye on the NGS website and our mailing list for more information.