Hi,
Yes, these are valid points although I know of no such effort within any VO.
I should say that this particular person is trustworthy and already
administrates several machines so I have no worries on this occasion.
However, the general point is indeed interesting.
All the best,
david
Kelsey, DP (David) wrote:
> I should have said....
>
> "The authorisation step of allowing Grid work on a host is the more
> important one."
>
> Dave
>
>
> ------------------------------------------------
> Dr David Kelsey
> Particle Physics Department
> Rutherford Appleton Laboratory
> Chilton, DIDCOT, OX11 0QX, UK
>
> e-mail: [log in to unmask]
> Tel: [+44](0)1235 445746 (direct)
> Fax: [+44](0)1235 446733
> ------------------------------------------------
>
>
>
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes
>> [mailto:[log in to unmask]] On Behalf Of Kelsey, DP (David)
>> Sent: 24 October 2006 08:52
>> To: [log in to unmask]
>> Subject: Re: Host certificate for home machine
>>
>> Ian,
>>
>> You raise an interesting point, but I think the trust really
>> comes when any site (or host) joins the Grid. The certificate
>> is just identifying the host. The authorisation step of
>> allowing Grid work on a host. The Security architecture has
>> always included mutual authorisation of hosts and service,
>> i.e. its not just users who should be authorised for
>> access... VOs should also be able to authorise the Grid
>> services they trust and wish to use.
>>
>> Dave
>>
>>
>> ------------------------------------------------
>> Dr David Kelsey
>> Particle Physics Department
>> Rutherford Appleton Laboratory
>> Chilton, DIDCOT, OX11 0QX, UK
>>
>> e-mail: [log in to unmask]
>> Tel: [+44](0)1235 445746 (direct)
>> Fax: [+44](0)1235 446733
>> ------------------------------------------------
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes
>>> [mailto:[log in to unmask]] On Behalf Of Ian Stokes-Rees
>>> Sent: 24 October 2006 08:44
>>> To: [log in to unmask]
>>> Subject: Re: Host certificate for home machine
>>>
>>> Surely the issue is that anyone with a host certificate is
>> then on the
>>> path to having Globus proxy certificates end up on their
>> host, which
>>> they would then have access to and could potentially exploit. For
>>> that reason, the level of "trust"
>>> in someone who is issued a host certificate, I would have thought,
>>> needs to be higher than for a person who requires just a
>> regular user
>>> certificate.
>>>
>>> Ian
>>>
>>> David Colling wrote:
>>>> OK, in a society as geeky as ours, it had to happen sooner
>>> or later. I
>>>> have a request from a somebody (not me for those of you trying to
>>>> guess) at Imperial for a host certificate. I must admit
>>> that I cannot
>>>> see any reason not to approve it. The machine has a unique
>>> IP address,
>>>> reverse DNS identifies it correctly, the user who has
>> requested the
>>>> certificate is the person who administers the machine etc.
>>>>
>>>> Anyway, before proceeding I thought that I would email this
>>> list where
>>>> people who know the rules better than me can comment.
>>> --
>>> Ian Stokes-Rees [log in to unmask]
>>> Particle Physics, Oxford http://grid.physics.ox.ac.uk/~stokes
>>>
|