[gin-auth] The new VOMS Server for GIN is active from now

Cindy Zheng zhengc at sdsc.edu
Fri Mar 10 23:32:06 CST 2006 

Thank you very much, Oscar, for the explaination!
I think I got it. I did find bits & pieces info to figure 
out what need to be done. Let's put all these info together
and make it easier for people to do the same in the future.
Please take a look the write-up when you have time and
let me know if any corrections and additions.

Cindy

> -----Original Message-----
> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl] 
> Sent: Friday, March 10, 2006 7:41 PM
> To: zhengc at sdsc.edu
> Cc: gin-auth at ggf.org
> Subject: Re: [gin-auth] The new VOMS Server for GIN is active from now
> 
> 
> Hi,
> 
> I haven't read the attached file yet, and I will still need 
> to comment 
> on your email conversation with Vincenzo, because the keys issues is 
> wrongly explained or confused me even!
> If you don't understand the following, thant that is due to the local 
> time here and my state of mind :-)
> 
> In the /etc/grid-security/vomsdir/ directory there needs to be placed 
> all host certificate files of the trusted VOMS Servers.
> The voms-api and other tools who are Attribute Certificate 
> cognisive can 
> extract the FQANs but also verify them. The verification can be done 
> because these ACs are signed by the private key of a VOMS server that 
> gave them out. On the extraction side (the policy desicion 
> point (PDP)) 
> in some middleware at a site the public key needs to be 
> present. Letting 
> this be present on the system means to have trust in that 
> host being a 
> trusted VOMS Server.
> 
> The ACs can be verified with the public key (present in the 
> certificate 
> file) and can then be trusted on their value (without needing 
> to check 
> it with other data). The VOMS server is in full control of the 
> group/role info that they have been administrating for their 
> community 
> (meaning: no need for a copy of the VOMS database on each site).
> 
> To make it even better (actually it is what you should do from the 
> start) is put each host certificate in a directory like:
> /etc/grid-security/vomsdir/GIN-GGF-ORG/
> 
> The voms-api should check this directory first and then fall 
> back to the 
> main vomsdir directory. Otherwise all VOMS Server could be 
> signing all 
> kinds of trusted FQANs.
> If you would have used the /etc/grid-security/vomsdir/ to put my 
> GIN-GGF-ORG file then, I could create and 'atlas', 'cms' or 
> wharever VO 
> and sign my proxies with these VOs. It wold be verified correctly, 
> because the signature of the ACs check out correctly. With 
> this approach 
> the scope of the verification of the found ACs is narrowed to 
> the files 
> present in that directory (which is equal to the VO name).
> 
> 
>     Oscar
> 
> 
> 
> Cindy Zheng wrote:
> 
> >Dear all,
> >
> >Thank you for everyone's quick work and responses!
> >It's only been a week, I have learned a lot.
> >I started to write down some steps we've gone thru, 
> >plus a little bits of things I think maybe good to 
> >add for the future. Please take a look the attachment
> >and let me know any corrections, additions or comments.
> >We'll make this an on-going document as we continue 
> >working on it.
> >
> >Thank you, all, for your help and support!
> >
> >Cindy
> >  
> >
>

More information about the gin-auth mailing list