[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
Moreno Marzolla
moreno.marzolla at pd.infn.it
Fri Mar 20 15:12:14 CDT 2009
Duane Merrill wrote:
> Yes, your certificate authority could sign ACs into PKCs.
>
> This would be a reasonable strategy if, for example, your middleware
> had statically-assigned identities (and statically-associated
> attributes) and you wanted to call into resources operated by a
> (idealized) middleware that looks for VOMS-style proxy-certs. (Because
> the callee middleware knows how to process PC chains with embedded
> ACs, it also knows how to process your vanilla PKCs with embedded
> ACs.).
That's correct, but unfortunately the situation is a bit more complex.
Certification Authorities release certificates without any VO membership
attributes (at least, the INFN CA does not embed VO information).
Furthermore, users can join (and leave) VOs at any time. Joining a VO is
actually quite simple: usually each VO maintains a web page, where you
authenticate with your X509 vertificate. You fill a form, and your
request for membership is approved by the VO manager. Then, the VOMS
server(s) are instructed to add the new VO membership information when
you request a VOMS proxy with the voms-proxy-init command.
This currently works quite well for gLite, and allows VO administrators
to grand and revoke VO membership information without requesting users
to ask for a new X509 certificate. This also allows Certification
Authorities to be completely VO-agnostic (if a new VO is created, you
don't need to tell the CAs to release attributes for the new VO as well).
Moreno.
--
Moreno Marzolla
INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy
EMail: moreno.marzolla at pd.infn.it Phone: +39 049 8277047
WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233
More information about the Pgi-wg
mailing list