[ogsa-wg] Draft, Informational, Security Profile
Duane Merrill III
dgm4d at virginia.edu
Fri Mar 9 11:46:26 CST 2007
> * 3.iii - embedding an EPI in a X509 cert sounds good, but not sure how
> that would make migration easier: don't you have to move the private key
> then with the resource?
Moving the private key wouldn't be necessary. The idea is that, through the
trust hierarchy (out of scope), a client can trust that the public key bound
to an EPI via the certificate can be used to securely communicate with (and
thus authenticate) that resource. In fact, this trust mechnism allows for
the client to trust (if the issuer is trusted) *any* key bound to that EPI.
Therefore, when the resource migrates (or the certificate expires, is
compromised, etc.), an intermediate CA can just issue a new
certificate/keypair for the resource, and any EPR rebinding mechanisms will
provide clients with the newly updated EPR containing the appropriate public
key (and new address, etc.).
-Duane
More information about the ogsa-wg
mailing list