Bug #1163
openinstall and configure certificate authority system for ecogrid
0%
Description
We need a common mechanism for authenticating users for EcoGrid. We have
general agreement that the OGSA Grid Security Infrastructure (GSI) is the right
way to handle this. For that to work, every user needs to have a public key
certificate which is signed by a certificate authority (CA). In Seattle Sept 23
the EcoGrid team agreed that the best way to handle this is through a
hierarchichal certificate granting structure. A root EcoGrid CA will sign
certificates for various organizations such as LTER and NCEAS, and they in turn
will sign certificates for users in their organization. This 'chain-of-trust',
if properly managed, should establish strong security and be scalable to the >
5000 scientists in our current personnel directories.
Each of these trusted CA's would probably also act as one of the distributed
EcoGrid Registries for locating services throughout the grid.
For this to work, we need a simple system in place for users to request
certificates and for the CA admins to sign them. Matt agreed to tackle this.
The tricky issues remaining here include:
1) What system can be used for distributing DN info to mapfiles?
2) How can browser-based interfaces be used with certificates?
Updated by Matt Jones about 19 years ago
This system will instead be implemented by the GAMA server using MyProxy. We
will automatically generate certificates for accounts that are validated. Jing
has been working on the GAMA side of things for SEEK, and GEON already has a
GAMA server in place.