> -----Original Message-----
> From: LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Kostas Georgiou
> Sent: 27 July 2007 12:04
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before
> the end of job.
>
> On Fri, Jul 27, 2007 at 09:59:03AM +0100, Ma, M (Mingchao) wrote:
>
> > Good point!
> >
> > In theory:
> >
> > Proxy certificate should be short-live (12 or 24 hours), attribute
> > certificate should be no longer than proxy certificate (shorter is
> > ok),
>
> I don't think that shorter is OK (with the current system).
> At the moment when your attribute expires the result is that
> the gridmap file the gridmap file will be used which means
> that your job, file transfer, whatever will be now mapped to
> something else and get a completely different set off capabilities.
I do not mean in the current system :-) Generally that is how PKI (X.509
certificate) and PMI (Attribute Certificate) works: a long-live X.509
certificate and a short-live attribute certificate. The idea is user's
identity might not change very offen (and should not change very offen)
but user's attriubtes/roles might change from time to time. So the
attribute certificate can be valid from a few minutes (valid for one
seesion) to a few months or years, but should not be longer than its
corresponding X.509 certificate.
> > any services or operations require long-live proxy
> certificate should
> > use my proxy server and my proxy server should be voms attribute
> > awareness so that it can renew not only proxy certificate but also
> > attribute certificate when required, and all services also
> need to be
> > voms attribute aware so that they can verify not only proxy
> > certificate but also voms attributes.
>
> Sure all services should be voms aware at the level that they
> should even contact the voms server on their own to renew the
> voms attributes if they expire.
>
> > In reality (at moment):
> >
> > Proxy certificates are 3-7 days long because there is no my proxy
> > server or my proxy server is not used by other services.
> Some services
> > are not voms attributes aware, that mean they do not recognise the
> > voms attributes. My proxy server is not attribute aware, so that it
> > can not renew attribute certificate on behalf of users if needed.
>
> It doesn't have to be only MyProxy that renews your attribute
> certificate, any service can renew the attributes if needed.
> Of course they'll have to be voms aware first.
Yes, it is true as long as there is such service, but it seems quite
nature if it is handled by the my proxy server
> > In fact, proxy certificate tells the system who you are
> > (authentication) and attribute certificate tells the system
> what you
> > can do (your
> > capabilities) so that the system can authenticate you (by proxy
> > certificate) and also authorize you according to the attributes (by
> > attribute certificate and its local access control policy). It
> > requires that all services are attributes-awareness, but at
> moment it
> > is not the case.
>
> Unfortunately the proxy certificate is also used for
> authorization as well when the attributes are not there, have
> expired or the service isn't voms aware. We have two
> authorization systems in use and having different expiry
> times for the proxy and it's attributes results on both of
> them being used in the lifetime of a job.
Very true, that is why we need attribute certificate (voms) since X.509
certificate and proxy certificate should only be used for authentication
purpose. That is probably the most difficult part: to enable all
services to support attribute certificates and enfore attribute-based
authorization. A attribute-aware my proxy server is far from enough.
> I would have liked to see something a lot more fine tuned
> instead of the basic voms attributes. We could have had
> attributes with something like:
> * proxy can copy back the sandbox of job X to RB Y (signed
> by RB Y) for example and then you don't have to worry that
> much about the expiry times or that proxy being stolen at
> some later point.
> I have seen some projects working on adding RBAC in x509 but
> I haven't spend any time thinking about it so the idea might
> not be workable at all.
>
> > Obviously we have a long way to go!
>
> Very very true.
Technically, we have all related technogies: PKI+proxy certificate+my
proxy server+PMI/voms (attribute certificate), but to enable all
services to support them is a long way to go. There is some efforts on
adding RABC into attribute certificate, you might check the project
called "Permis", simply google it :-)
> Kostas
>
Mingchao
|