Information Technology Reference
In-Depth Information
(M. Pala, 2010) allows clients to sensibly reduce
the list of trust anchors (or Trusted Certification
Authorities). In particular, by trusting the PK-FA
certificate, a client can dynamically discover if
a CA is part of the trusted federation, and, if so,
can use the PKS to correctly route the requests
about the provided PKI services.
Since the source of trust is the PK-FA, the trust
is built by combining the PK-FA response with the
usual certificate validation of the certificate that is
being verified. The use of dynamically generated
PK-FA responses allows infrastructures to dynami-
cally join or leave federations. In fact, although
that there is no direct certification link between
the PK-FA (the trusted entity) and the certificate
to be verified, the trust (from a federation point
of view) flows from the signed PK-FA response
as it identifies the certificate issuing CA as part of
the trusted federation. In other words, the PK-FA
provides a source of technical bridge that allows
to verify (from an application standpoint) the
compliance of an organization to a well-known
policy without the need of cross certification
among trust infrastructures.
This allows applications to implement user-
friendly trust anchor management systems based
on the idea of federation (e.g., the Banking Federa-
tion, the Credit Cards Association, etc.).
common authentication layer exists. The PRQP
introduces a new layer of indirection that allows
mapping of PKI resource discovery to network
addresses. Today, no existing software provides
such a flexible service. In fact, no deployed in-
frastructure exists that provides an efficient and
interoperable PKI resource-discovery service.
Building on top of our experience with PRQP
deployment, we focused on allowing for improved
interoperability among trust infrastructures by
introducing the Public Key System (PKS) and its
promising characteristic toward an Internet-wide
support infrastructure for federated identities.
ACKNOWLEDGMENT
The authors would like to thank the IGTF members
for their contribution and inspiring suggestions.
This work was supported in part by CISCO;
the NSF (under Grant CNS-0448499); the U.S.
Department of Homeland Security (under Grant
Award Number 2006-CS-001-000001); and the
Director, Office of Science, Office of Advanced
Scientific Computing Research of the U.S.
Department of Energy (under Contract No. DE-
AC02-05CH11231). The views and conclusions
contained in this document are those of the au-
thors and should not be interpreted as necessarily
representing the official policies, either expressed
or implied, of any of the sponsors. A preliminary
version of this work appeared as Pala et al, “Ex-
tending PKI Interoperability in Computational
Grids,”
8
th
IEEE International Symposium on
Cluster Computing and the Grid.
CONCLUSION
In our work we provide a description of the grid
authentication layer. We also provide an overview
of the issues that grids and virtual organizations
face every day in distributing crucial information
that enables the usage of digital certificates.
Our work also analyzes the current status of
the PKI Resource Query Protocol and describes
the TACAR experience in integrating the protocol
into an existing infrastructure.
We believe that PRQP can provide an effective
solution to the PKI services pointer distribution
issue, especially in virtual organizations where a
REFERENCES
Aberer, K., Mauroux, P. C., Datta, A., Despotovic,
Z., Hauswirth, M., Punceva, M., & Schmidt, R.
(2003). P-Grid: A self-organizing structured P2P
system.
SIGMOD, 32.
ACM.
Search WWH ::
Custom Search