Information Technology Reference
In-Depth Information
AUTHENTICATION IN VIRTUAL
ORGANIZATIONS
from the way VOs differ in policies, infrastructures
and resource control.
Consider the situation where access to grid
resources is managed via a Web portal. The portal
can use SSL to provide strong mutual authentica-
tion, between client and server, based on grid-
approved PKI credentials. To do this, the portal
administrator needs to set up the SSL Trust List
to only allow credentials from approved CAs;
the portal also needs to know how to validate the
entire trust chain for that credential (that is, the
end entity certificate presented, its issuer and the
issuer's issuer, and so forth) up to the approved
self-signed grid trust anchor.
To do this validation, the portal needs to know
how to access services such as the location of
the CA certificate and revocation data for each
of these intermediate CAs. However, the portal
cannot count on having pre-configured details
for them. Even if it did—or if the information
was packaged in each end entity certificate—this
information may change over time, rendering this
critical data stale. Having some way to dynami-
cally discover service entry points of interest for
grid-approved authorities (or indeed, the very
authorities themselves) would solve a number of
issues and would also provide for more flexible
implementation options for the grid authorities,
potentially lowering the costs of future service
changes, and facilitating the future offering of
additional services.
Our Solution Path.
In order to help VOs to
more efficiently address PKI interoperability
issues we have started a collaboration with the
TACAR project to foster the adoption of the
PKI Resource Query Protocol
(PRQP) which
enables discovery of resources and services in
inter-PKI and intra-PKI environments. Although
PRQP provides a viable solution for immediate
deployment, in this paper we extend this solution
by advocating for the adoption of a Public Key
System (PKS) in order to provide support for VO
authentication over the Internet.
Computational grids provide researchers, institu-
tions and organizations with many thousands of
nodes that can be used to solve complex com-
putational problems. To leverage collaborations
among entities, users of computational grids are
often consolidated under very large
Virtual Or-
ganizations (VOs).
Participants in VOs need to share resources,
including data storage, computational power and
network bandwidth. Because these resources
are valuable, access is usually limited, based on
the requested resource and the requesting user's
identity. In order to enforce these limits, each grid
has to provide secure authentication of users and
applications.
Erroneously granting access to unauthorized
or even malicious parties can be dangerous even
within a single organization---and is unacceptable
in such large VOs.
Moreover, the dynamic nature of grid VOs
requires the authentication mechanisms to be
flexible enough to easily allow administrators to
manage trust and quickly re-arrange resource-
sharing permissions. Indeed, VOs are usually born
from the aggregation of already existing organiza-
tions and constitute an umbrella that groups the
participating organizations rather than replacing
them. For example, large VOs like the ATLAS
and CMS Large Hadron Collider collaborations
may be distributed across multiple organizational
and national boundaries. Authentication must al-
low individual organizations to maintain control
over their own resources.
The Problem.
When participating in a VO, an
organization must solve the problem of securely
identifying resource requesters that come from
outside its boundaries. PKIs offer a powerful and
flexible tool to solve the potential authentication
nightmare. Nonetheless, grid and VO administra-
tors are still striving to find an acceptable solution
to address interoperability issues that originate
Search WWH ::
Custom Search