Information Technology Reference
In-Depth Information
which serves all the organizations participating
in the grid community.
This model is easily applicable when the
VOs and grids share the same set of accredited
Certification Authorities. In this case, the client
application queries the central RQA to discover
the needed information about CAs participating
in the VO. For this model to work, the central
RQA must know the pointers for each and every
CA that is recognized by the VO. In this case,
the RQA is to be trusted by all the participating
parties. The RQA can be configured to act as a
trusted responder or, if every participating CA
is willing to certify the RQA's key pair, as an
authoritative responder.
It may be unrealistic to expect a policy authority
(like IGTF) to operate a central RQA which would
require 24x7 support; however, the operation could
be easily delegated by the policy authority to one
of the more prominent accredited CA sites that
are already geared for 24x7 services. The policy
body would then simply need to require periodic
assertions (or audits) to confirm that the central
service was operated precisely and integrally.
In our PRQP deployment for TACAR we
adopted a delegated model where the central
RQA service is run by one of the accredited CAs.
Moreover, in order to facilitate the update of the
pointers provided by each CA to the RQA admin-
istrators, we provided a web-based configuration
tool (integrated with the TACAR control panel)
that allows CA administrators to easily update/
add URL pointing to the provided services. The
configuration is then pushed to the RQA server
and automatically deployed at regular intervals
during the day.
interoperability is both needed and soon deploy-
able. In particular, we started working at the
deployment of a distributed support system for
trust infrastructures suitable for Internet-scale
deployment and dynamic federation management,
namely the Public Key System (PKS). In order
to ease roll over between isolated PKI islands to
globally available and locally configurable PKI
services, this infrastructure will allow smooth
co-existence and progressive integration with
existing infrastructures.
The PKS we first designed in (M. Pala, 2010)
and that we plan to develop and deploy for Grid
authentication purposes first, is composed of
three main parts: a DHT-based overlay network,
a unified message format, and the support for
federated identities.
The PKS uses a peer-to-peer overlay network
to route messages to the target CAs and federation
authorities. In particular, we use a simplified ver-
sion of the Chord protocol based on the PEACH
(M. Pala and S. W. Smith, 2008) system. We
selected this routing algorithm for two reasons.
First, it already provides support for node identi-
fiers based on public key certificates. Secondly,
the PEACH protocol is easy to support from the
developers point of view: other protocols like
Kademilia (Maymounkov, P., Mazieres, D., 2002)
or P-Grid (Aberer, K., Mauroux, P.C., Datta, A.,
Despotovic, Z., Hauswirth, M., Punceva, M.,
Schmidt, R., 2003) might provide additional
features at a greater implementation costs.
A collaborative Approach.
In our previous
work, we designed and prototyped a scalable
system for PKI resources look-up. In (M. Pala
and S. W. Smith, 2008) we introduced a new
peer-to-peer overlay network that makes use of a
Distributed Hash Table routing protocol (namely,
Peach). Results from this work have demonstrated
that PKIs can make effective use of peer-to-peer
technologies and have laid the path for the next
steps in this new field. Building on our previous
work, we extended this approach to provide a
support system for Public Key trust infrastructures
TOWARDS GLOBAL GRID
AUTHENTICATION
Our experience with PRQP provided us with
the idea that an Internet-wide service aimed at
enhancing trust-infrastructures deployment and
Search WWH ::
Custom Search