[gin-auth] The new VOMS Server for GIN is active from now

Oscar Koeroo okoeroo at nikhef.nl
Fri Mar 10 21:41:12 CST 2006 

Hi,

I haven't read the attached file yet, and I will still need to comment 
on your email conversation with Vincenzo, because the keys issues is 
wrongly explained or confused me even!
If you don't understand the following, thant that is due to the local 
time here and my state of mind :-)

In the /etc/grid-security/vomsdir/ directory there needs to be placed 
all host certificate files of the trusted VOMS Servers.
The voms-api and other tools who are Attribute Certificate cognisive can 
extract the FQANs but also verify them. The verification can be done 
because these ACs are signed by the private key of a VOMS server that 
gave them out. On the extraction side (the policy desicion point (PDP)) 
in some middleware at a site the public key needs to be present. Letting 
this be present on the system means to have trust in that host being a 
trusted VOMS Server.

The ACs can be verified with the public key (present in the certificate 
file) and can then be trusted on their value (without needing to check 
it with other data). The VOMS server is in full control of the 
group/role info that they have been administrating for their community 
(meaning: no need for a copy of the VOMS database on each site).

To make it even better (actually it is what you should do from the 
start) is put each host certificate in a directory like:
/etc/grid-security/vomsdir/GIN-GGF-ORG/

The voms-api should check this directory first and then fall back to the 
main vomsdir directory. Otherwise all VOMS Server could be signing all 
kinds of trusted FQANs.
If you would have used the /etc/grid-security/vomsdir/ to put my 
GIN-GGF-ORG file then, I could create and 'atlas', 'cms' or wharever VO 
and sign my proxies with these VOs. It wold be verified correctly, 
because the signature of the ACs check out correctly. With this approach 
the scope of the verification of the found ACs is narrowed to the files 
present in that directory (which is equal to the VO name).


    Oscar



Cindy Zheng wrote:

>Dear all,
>
>Thank you for everyone's quick work and responses!
>It's only been a week, I have learned a lot.
>I started to write down some steps we've gone thru, 
>plus a little bits of things I think maybe good to 
>add for the future. Please take a look the attachment
>and let me know any corrections, additions or comments.
>We'll make this an on-going document as we continue 
>working on it.
>
>Thank you, all, for your help and support!
>
>Cindy
>  
>

More information about the gin-auth mailing list