Hi John
I will answer your questions below, but one of the issues you are
raising is the more general one about a user who is known by different
IDs in different domains, and how can all his attributes from all of his
IDs be used correctly. GridShib has already hit this problem, as have
many others. Several people have been working on a general solution to
this problem, rather than a short term application specific hack, but we
dont have one yet. We do have a proposal into the last JISC
e-infrastructure call to solve the problem, so if we get funded we
should end up with a standard solution. But for now, hacks are all that
we can hope for.
John Watt wrote:
> Hi,
>
> We are looking into a project to interoperate
> Shibboleth/GT4/PERMIS/GridSphere (no less!) and I have a question about
> the signing checking on PERMIS.
>
> One of our goals is to be able to submit jobs to the NGS, this
> inevitably forces us to adopt the UK e-Science Certificate naming
> convention/certificates. We are pretty much resigned to have to submit
> jobs as UK e-Science users.
>
> However we would like to use PERMIS/DIS to enforce local access control
> to Globus. We would do this by deploying PERMIS in the Globus container
> and issuing local attributes with DIS. This allows us to use DIS's
> dynamic cross-organisation features as we may deploy other containers
> with separate policies and attributes. (We already have this working
> incidentally)
>
> The problem comes when PERMIS is invoked. The DN coming into PERMIS will
> be of the e-Science DN type, whereas the attributes we have issued with
> DIS will be living in our own custom LDAP (signed by our own CA) with
> its own naming structure.
>
> I have an idea of mirroring/copying the attributes for a particular user
> on the same LDAP but with the placeholder name of the UK e-Science DN
> type (a fudge I know - I'm also not 100% sure this is legal in LDAP).
> Then when PERMIS receives a UK DN from the Globus proxy it can find the
> attributes for the corresponding user. However, will PERMIS care that
> the e-Science certificate was signed by the UK root CA when it does the
> signature check for the Attribute Certificate (signed by our SoA)?
No PERMIS does not care who signed PKCs, this is a feature of the
signature checking method, which is usually code provided by someone else.
PERMIS does care who signed ACs. The PERMIS policy says who is allowed
to sign ACs, and if delegation is supported. If a trusted AA did not
sign the AC, then the AC will be rejected.
Also,
> would it complain that the attribute certificate will contain a DN
> (holder name) that is different from the DN it is stored in (the UK DN)?
Yes PERMIS does care about this. The AC will be rejected. This is
because your PEP told PERMIS that the authenticated name of the user was
DN1, so it will only accept ACs issued to DN1. Any ACs issued to DN2
belong to someone else, so are discarded.
regards
David
> I realise some of the above may violate LDAP rules but I want to check
> first if PERMIS would disallow it anyway.
>
> Many thanks!
> John
>
> ----------------------------------------
> Dr. John Watt, National e-Science Centre
> University of Glasgow, Glasgow G12 9BY
> Tel: 0141 330 8647 Fax: 0141 330 8625
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: [log in to unmask]
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
|