Information Technology Reference
In-Depth Information
Figure 1. Chain of Trust in grids environment. The usage of Proxy Certificates allows the user to del-
egate tasks without exposing her private key—since each Proxy Certificate has its own unique keypair
Most GSI-based grid applications can recog-
nize PCs and will trust the credential as long as
the chain of trust leads back to the original user
and a trusted CA. A detailed scheme of the whole
chain of certificates involved in identity verifica-
tion is shown in Figure 1.
Additionally, grids and VOS may use special
authorization services to handle fine-grained roles
based access control. For example, OSG VOs use
a
Virtual Organization Management Service
(VOMS)
(Ciaschini, 2004) service to generate and
sign an
Attribute Certificate
that contains one or
more
Fully Qualified Attribute Name (FQAN)
strings, linked to the user's subject DN. This
FQAN is embedded in the user's proxy certificate
as an X.509v3 extension and defines that user's
role within the VO. VOMS proxies can be used
to manage roles and levels of access to resources,
while using the same identity principal (user
certificate) across the grid.
cies and common practices are established and
well understood, the number of accredited CAs
should increase in the number of hundreds, thus
increasing the need for a standardized solution
for a PKI resource discovery system.
Current Data Distribution.
Currently, the
mechanism for querying the trusted providers is
fairly simple: administrators and users download
a trusted CA distribution. This can either happen
as part of a manual process, or it can be included
within the grid software distribution (such as the
Open Science grid software stack). This packaged
data consists of a set of accredited CAs. (Ac-
creditation is done by peer review in the various
policy bodies.)
Because of the need to provide users and ad-
ministrators with additional data besides the CA
certificates, the downloaded package includes
extra files. In particular, for a given CA, the
package typically includes the following static
information: the
CA certificate
, the
.info file
, a
CRL URL file
, a
namespaces file
, and a
signing
policy file
.
The
.info file
contains general CA informa-
tion along with contact information (including
a URL). Applications can use information in
the .info file to contact the CA. An example of a
distributed .info file is shown in Figure 2. Some
of the information distributed in this file (e.g.
url, email or status) is required by applications
and users to find details about the CA. The
CRL
URL file
contains a URL pointer from where one
would download the CRL. All accredited IGTF
classic CAs provide this file. Sites and users build
revocation lists by periodically querying the in-
formation in the CRL URL file and downloading
PKI RESOURCE
DISCOVERY IN GRIDS
To use these more general PKIs, applications must
be capable of finding and using services and data
repositories provided by Certification Authori-
ties. Unfortunately, even the retrieval of the list
of revoked certificates (CRLs) is still a problem
when dealing with CAs from different hierarchies
or loosely coupled PKI meshes.
Grid PKIs can become rather complex, and
the number of grid CAs accredited by the Policy
Bodies (which are relatively young) is expected
to grow in the near future. Indeed, as long as poli-
Search WWH ::
Custom Search