AUP Signing A Component for User Authorization Authorization Working Group
Concepts: CA’s • CA’s are not specific for GRID • CA’s cannot impose GRID AUP • CA’s only provide authentication • Emit personal and host certificates • Emit CRL’s • Maintain & publish these data (http,LDAP)
Concepts:VO’s • VO’s are GRID specific • (May) impose AUP to GRID users • VO’s must only (?) provide authorization • must relay on CA’s for authentication • including CRL’s and expiration date • (may) verify AUP subscription by users • grant resource access to GRID users
AUP subscription A user is granted access to GRID resources (i.e. is authorized by her VO) if she subscribes the AUP • The AUP subscription validity must be limited in time • The upper limit of the validity for the AUP subscription is the expiration date of user certificate • The VO’s must take in account also CA CRL’s
AUP Subscription: a Proposal • Secure (e.g. https) form (on VO server) containing: • AUP statement • Accept button to be clicked by the user • Form tasks: • User validation • User AUP subscription certification • User information update in the VO tree
Form Details • User validation (is a VO user ?) • User certificate validation (expiration, check against CRL) • Creation of a “certificate” for the user signed by the server itself. • Insertion of the “certificate” in the LDAP VO tree. • The “certificate” will be checked by mkgridmap program and alike.
(Quick & Dirty) Implementation • Very preliminary (working) release • Test VO server • Openldap package • Apache web server (+ apache-ssl) • Php module • Openldap routines • Openssl routines (still experimental) • Openssl package
TODO list • Insert check against CRL’s • Switch from apache-ssl to mod_ssl • Avoid forking external programs from the form • Next php release ? • Switch to perl ? • Use a standard (?) form for the certificate