Information Technology Reference
In-Depth Information
Gudgin, J.-J. Moreau, H. Nielsen, 2007),
WSDL
(E. Christensen, F. Curbera, G. Meredith, and S.
Weerawarana, 2001; R. Chinnici, M. Gudgin, J.-J.
Moreau, and S. Weerawarana, 2005) and
UDDI
(L. Clement, A. Hately, C. von Riegen, and T.
Rogers, 2004) or they are specifically targeted
to local area networks---e.g.,
Jini
(W. Edwards,
2000; K. Arnold, 2000)
UPnP
(UPnP Forum,
2008; M. Jenronimo and J. Weast, 2003) or
SLP
(E. Guttman, C. Perkins, and J. Kempf, 1999; E.
Guttman, 1999).
private key). If the CA can be subverted, then the
security of the entire system is lost; likewise, if
an end entity is negligent, then the security and
trust associated with their particular credential
could be lost.
The degree to which a relying party can trust the
binding embodied in a digital certificate depends
on several factors. These factors can include the
practices followed by the certification authority
in authenticating the subject; the CA's operating
policy, procedures, and security controls; the scope
of the subscriber's responsibilities (for example,
in protecting the private key); and the stated re-
sponsibilities and liability terms and conditions of
the CA (e.g warranties, disclaimers of warranties,
and limitations of liability). The processing of
information contained in these multiple complex
documents for the purpose of making a trust
decision about each PKI involved is too onerous
for the average user. Relying parties therefore
usually accept recommendations from trusted
accreditation bodies about the relative trustwor-
thiness and suitability of credentials being issued
by a particular CA. For grids, those accreditation
bodies are the three regional PMAs that constitute
the IGTF.
TAGPMA
is the accreditation authority
for the Americas (covering a geographical region
from Canada to Chile).
TAGPMA conducts peer reviews of grid CA
operations. A grid CA can be accredited as a grid
credential issuer after TAGPMA reviews their
Certificate Policy (CP)
and
Certification Prac-
tices Statement (CPS)
to ensure that the practices
implement the policies and that the policies are
equivalent to standard approved grid profiles. Once
approved, the CA and associated information is
packaged for official distribution for IGTF rely-
ing parties. Re-review of a CA is conducted on a
periodic basis to ensure they are still compliant
with the standard grid profiles.
Not all grid CA accreditation applicants are
able to map their existing policies and practices
to an approved IGTF profile. However, a relying
party may still wish to accept the credentials of
TRUST AND CERTIFICATION
POLICIES
The use of a standardized and well-established
technology such as public key certificates has
enabled applications such as browsers to facilitate
ease of use within grids. However, especially when
integrating credentials from different authorities,
an important aspect to consider is the policies
under which those credentials have been issued.
Although a PKI potentially provides the benefit
of strong binding of identities to public keys, the
strength of that binding is really dependent on
the policies and practices followed by the issuing
authority, and the subscribers.
A CA is a trusted third party entity which is-
sues digital certificates for use by relying parties.
In a certificate, the CA attests that the public key
matches the identity of the owner of the corre-
sponding private key, and also that any other data
elements or extensions contained in the certificate
match the subject of the certificate. The obliga-
tion of a CA (and its registration authorities) is to
verify an applicant's credentials, so that relying
parties can trust the information contained in the
certificates it issues. If a relying party trusts the
CA and can verify the CA's signature, then it can
also verify that a certain public key does indeed
belong to whoever is identified in the certificate (as
long as they accept this, the end entity is fulfilling
its responsibilities with respect to protecting the
Search WWH ::
Custom Search