Information Technology Reference
In-Depth Information
exception being when the Domain Component
(DC) attributes are used in the certificate's Sub-
ject. Fortunately, with the recent deployment of
DNSSEC (Arends, R.; Austein, R.; Larson, M.;
Massey, D. & Rose, S., 2005; Weiler, S. & Ihren,
J., 2006) services and their integration with current
OSes, some of the trust considerations related to
the local service discovery via DNS records will
be soon solved.
However, this approach can be successfully
adopted in VOs where the centralized policy body
authority could provide the RQA configurations
on behalf of the whole VO.
Finally, we want to point out that other mecha-
nism will be available to discover LAN provided
services in IPv6 (Deering, S. & Hinden, R., 1998)
based on simple ping of reserved IP addresses in
the local segment.
is built on top of the OpenSSL library, a widely
used open-source library. Since GSI is based on
standard PKI mechanisms, it plugs nicely into the
PRQP model. A PRQP client can be implemented
at the GSI layer using callouts - we plan to imple-
ment this in the future.
Grid-Specific Resources.
In order to better
leverage PRQP in the Grid environment, we de-
fined a set of object identifiers (OIDs) that enhance
PRQP with the ability to provide grid-specific data
distribution. Because grid communities organize
themselves in VOs that accept common authenti-
cation profiles (such as those of the IGTF), it has
been easy to analyze the requirements and identify
the needed enhancements to PRQP.
Besides identifying the OIDs for general PKI
operations (e.g., HTTP based or browser-specific
services, CA “communication gateways”, etc.)
3
,
we also defined some Grid-specific pointers (see
Table 1).
The
accreditationBody
and the
accreditation-
Policy
pointers can be used to specify the bodies
and the policies (or profiles) under which a CA
has been accredited. In addition to these, we also
defined the
commonDistributionUpdate
and the
accreditedCACertificates
OIDs. These identifiers
can carry information about pointers to the most
recent Grid distribution data (the former) and to
the set of accredited CA certificates (the latter).
One interesting feature of PRQP is its flex-
ibility. It can provide CA management with a
dynamic model to add services or, if needed, to
switch to newer and more efficient ones. This
feature becomes of primary concern in grids
where currently grid-specific services have not
been standardized yet.
CAs can leverage PRQP flexibility properties
in order to provide dynamically updated informa-
tion about its accreditation status to applications
via the
accreditationStatus
pointer. The set of grid-
specific pointers we introduced facilitates more
flexible trust options from the VO's perspective,
in the set of CAs it chooses to trust. For instance,
besides the generally accepted IGTF distribution,
INTEGRATING PRQP INTO GRIDS
In our work toward a dynamic discovery of PKI-
related services for Computing Grids, we analyzed
the security requirements and the current chal-
lenges in distributing pointers to authentication
data. To ease the administrators' burden and to
provide a more efficient way to distribute resource
locators, we extended the PRQP specification
with grid-specific support. In particular, these
extensions provide an interoperable method to
distribute information about provided services.
Although some solutions already exist in the com-
puting grid environment (e.g. the monthly IGTF/
TACAR update), our work addresses the problem
by providing a more standardized solution that
would allow for better interoperability between
organizations (as discussed earlier).
OpenCA's LibPKI (OpenCA, 2008a) provides
an updated implementation of the full PRQP proto-
col. At present, a PRQP server is also available as
a stand-alone application (OpenCA Labs, 2008c)
and freely downloadable
2
. The GSI based security
layer, used across several major grids and VOs,
Search WWH ::
Custom Search