1 / 8

AUP Signing

AUP Signing. A Component for User Authorization Authorization Working Group. Concepts: CA’s. CA’s are not specific for GRID CA’s cannot impose GRID AUP CA’s only provide authentication Emit personal and host certificates Emit CRL’s Maintain & publish these data (http,LDAP).

Patman
Télécharger la présentation

AUP Signing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AUP Signing A Component for User Authorization Authorization Working Group

  2. Concepts: CA’s • CA’s are not specific for GRID • CA’s cannot impose GRID AUP • CA’s only provide authentication • Emit personal and host certificates • Emit CRL’s • Maintain & publish these data (http,LDAP)

  3. Concepts:VO’s • VO’s are GRID specific • (May) impose AUP to GRID users • VO’s must only (?) provide authorization • must relay on CA’s for authentication • including CRL’s and expiration date • (may) verify AUP subscription by users • grant resource access to GRID users

  4. AUP subscription A user is granted access to GRID resources (i.e. is authorized by her VO) if she subscribes the AUP • The AUP subscription validity must be limited in time • The upper limit of the validity for the AUP subscription is the expiration date of user certificate • The VO’s must take in account also CA CRL’s

  5. AUP Subscription: a Proposal • Secure (e.g. https) form (on VO server) containing: • AUP statement • Accept button to be clicked by the user • Form tasks: • User validation • User AUP subscription certification • User information update in the VO tree

  6. Form Details • User validation (is a VO user ?) • User certificate validation (expiration, check against CRL) • Creation of a “certificate” for the user signed by the server itself. • Insertion of the “certificate” in the LDAP VO tree. • The “certificate” will be checked by mkgridmap program and alike.

  7. (Quick & Dirty) Implementation • Very preliminary (working) release • Test VO server • Openldap package • Apache web server (+ apache-ssl) • Php module • Openldap routines • Openssl routines (still experimental) • Openssl package

  8. TODO list • Insert check against CRL’s • Switch from apache-ssl to mod_ssl • Avoid forking external programs from the form • Next php release ? • Switch to perl ? • Use a standard (?) form for the certificate

More Related