I should have said....
"The authorisation step of allowing Grid work on a host is the more
important one."
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Kelsey, DP (David)
> Sent: 24 October 2006 08:52
> To: [log in to unmask]
> Subject: Re: Host certificate for home machine
>
> Ian,
>
> You raise an interesting point, but I think the trust really
> comes when any site (or host) joins the Grid. The certificate
> is just identifying the host. The authorisation step of
> allowing Grid work on a host. The Security architecture has
> always included mutual authorisation of hosts and service,
> i.e. its not just users who should be authorised for
> access... VOs should also be able to authorise the Grid
> services they trust and wish to use.
>
> Dave
>
>
> ------------------------------------------------
> Dr David Kelsey
> Particle Physics Department
> Rutherford Appleton Laboratory
> Chilton, DIDCOT, OX11 0QX, UK
>
> e-mail: [log in to unmask]
> Tel: [+44](0)1235 445746 (direct)
> Fax: [+44](0)1235 446733
> ------------------------------------------------
>
>
>
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Ian Stokes-Rees
> > Sent: 24 October 2006 08:44
> > To: [log in to unmask]
> > Subject: Re: Host certificate for home machine
> >
> > Surely the issue is that anyone with a host certificate is
> then on the
> > path to having Globus proxy certificates end up on their
> host, which
> > they would then have access to and could potentially exploit. For
> > that reason, the level of "trust"
> > in someone who is issued a host certificate, I would have thought,
> > needs to be higher than for a person who requires just a
> regular user
> > certificate.
> >
> > Ian
> >
> > David Colling wrote:
> > > OK, in a society as geeky as ours, it had to happen sooner
> > or later. I
> > > have a request from a somebody (not me for those of you trying to
> > > guess) at Imperial for a host certificate. I must admit
> > that I cannot
> > > see any reason not to approve it. The machine has a unique
> > IP address,
> > > reverse DNS identifies it correctly, the user who has
> requested the
> > > certificate is the person who administers the machine etc.
> > >
> > > Anyway, before proceeding I thought that I would email this
> > list where
> > > people who know the rules better than me can comment.
> > --
> > Ian Stokes-Rees [log in to unmask]
> > Particle Physics, Oxford http://grid.physics.ox.ac.uk/~stokes
> >
>
|