[Nsi-wg] [voms-proc-wg] OGF NSI networking architecture and need for certificates with restricted user base

Mischa Salle msalle at nikhef.nl
Fri Aug 1 04:36:33 EDT 2014 

Hi John,

just a few additional remarks inline...

On Thu, Jul 31, 2014 at 12:21:59PM -0400, John MacAuley wrote:
> Yes, I was indeed mixing authentication and basic authorization.  I
> have solved the issue by adding certification DN authorization in
> Apache after the TLS session is established.  It is just too bad TLS
> gets established in the first place with these wide ranging CAs.
> Seems a bit senseless in the grand scheme of security.
I'm not sure I fully understand what you mean, but note in any case that
you can easily provide a CA file or path with a (small) set of accepted
CAs for client auth in Apache, see
http://httpd.apache.org/docs/current/mod/mod_ssl.html
under SSLCACertificateFile, SSLCACertificatePath and SSLCADNRequestFile,
SSLCADNRequestPath

> Java based implementations can override the default SSL Engine to give
> customized handling of the certificates, which solves my problem
> during the negotiation phase.  Unfortunately, not everyone can do
> this.
First of all, the standard mod_ssl has a number of possibilities for
customization and you already get quite some data back from the Apache
server, such as issuer CA for the client-cert etc., so you can also do
quite some checks after the SSL handshake, for example in PHP.
Also see below, about e.g. mod_gridsite. 

> "Self-signed certificates will not scale." - It really depends on the
> deployment requirements of the application.  We are discussing control
> plane peering of service agents, of which an organization will
> typically have a handful to tens for the foreseeable future.  I would
> not use self-signed for use cases where I am dealing with 100 - 1,000s
> of clients.  In that case it definitely does not scale.
True, but even for smaller cases, it can be difficult to handle the
revocation or expiry of a certificate, as it has to be quickly
distributed over all services and clients.

> However, having to provision 1,000s of access control lists to
> restrict access does not scale as well.  If this was the case an
> entirely different solution would be required that does not depend on
> SSL/TLS for anything other than encryption.
in principle in the Grid world, people have developed an Apache module
(mod_gridsite.so, shipped as part of gridsite which is available in both
RedHat via EPEL and Debian) which can handle access control based on
virtual organization (VO) membership, roles etc. especially to address
your point about the ACLs. The grid also started out using long lists of
user DNs, until we moved to the concept of a VO with roles and groups
and access control based on that.

On Thu, Jul 31, 2014 at 05:50:08PM +0000, Sill, Alan wrote:
> We had planned to put together a workshop on identity management for
> software defined networking for SC'14, but I don't think we got that
> submitted in time. This sounds like a topic that would be good to
> discuss at an OGF meeting or other gathering of the NSI group.
That would be very interesting.

    Best wishes,
    Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4332 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20140801/0099fbb1/attachment-0001.bin>

More information about the nsi-wg mailing list