Download
aup signing n.
Skip this Video
Loading SlideShow in 5 Seconds..
AUP Signing PowerPoint Presentation
Download Presentation
AUP Signing

AUP Signing

357 Vues Download Presentation
Télécharger la présentation

AUP Signing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. AUP Signing A Component for User Authorization Authorization Working Group

  2. Concepts: CA’s • CA’s are not specific for GRID • CA’s cannot impose GRID AUP • CA’s only provide authentication • Emit personal and host certificates • Emit CRL’s • Maintain & publish these data (http,LDAP)

  3. Concepts:VO’s • VO’s are GRID specific • (May) impose AUP to GRID users • VO’s must only (?) provide authorization • must relay on CA’s for authentication • including CRL’s and expiration date • (may) verify AUP subscription by users • grant resource access to GRID users

  4. AUP subscription A user is granted access to GRID resources (i.e. is authorized by her VO) if she subscribes the AUP • The AUP subscription validity must be limited in time • The upper limit of the validity for the AUP subscription is the expiration date of user certificate • The VO’s must take in account also CA CRL’s

  5. AUP Subscription: a Proposal • Secure (e.g. https) form (on VO server) containing: • AUP statement • Accept button to be clicked by the user • Form tasks: • User validation • User AUP subscription certification • User information update in the VO tree

  6. Form Details • User validation (is a VO user ?) • User certificate validation (expiration, check against CRL) • Creation of a “certificate” for the user signed by the server itself. • Insertion of the “certificate” in the LDAP VO tree. • The “certificate” will be checked by mkgridmap program and alike.

  7. (Quick & Dirty) Implementation • Very preliminary (working) release • Test VO server • Openldap package • Apache web server (+ apache-ssl) • Php module • Openldap routines • Openssl routines (still experimental) • Openssl package

  8. TODO list • Insert check against CRL’s • Switch from apache-ssl to mod_ssl • Avoid forking external programs from the form • Next php release ? • Switch to perl ? • Use a standard (?) form for the certificate