JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for PERMIS-DEV Archives


PERMIS-DEV Archives

PERMIS-DEV Archives


PERMIS-DEV@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

PERMIS-DEV Home

PERMIS-DEV Home

PERMIS-DEV  December 2006

PERMIS-DEV December 2006

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: UK e-Science DN and local Attribute Authorities

From:

David Chadwick <[log in to unmask]>

Reply-To:

This list is for software developers that use PERMIS <[log in to unmask]>

Date:

Fri, 1 Dec 2006 20:14:21 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (95 lines)

Hi John

I will answer your questions below, but one of the issues you are 
raising is the more general one about a user who is known by different 
IDs in different domains, and how can all his attributes from all of his 
IDs be used correctly. GridShib has already hit this problem, as have 
many others. Several people have been working on a general solution to 
this problem, rather than a short term application specific hack, but we 
dont have one yet. We do have a proposal into the last JISC 
e-infrastructure call to solve the problem, so if we get funded we 
should end up with a standard solution. But for now, hacks are all that 
we can hope for.

John Watt wrote:
> Hi,
> 
> We are looking into a project to interoperate
> Shibboleth/GT4/PERMIS/GridSphere (no less!) and I have a question about
> the signing checking on PERMIS.
> 
> One of our goals is to be able to submit jobs to the NGS, this
> inevitably forces us to adopt the UK e-Science Certificate naming
> convention/certificates. We are pretty much resigned to have to submit
> jobs as UK e-Science users. 
> 
> However we would like to use PERMIS/DIS to enforce local access control
> to Globus. We would do this by deploying PERMIS in the Globus container
> and issuing local attributes with DIS. This allows us to use DIS's
> dynamic cross-organisation features as we may deploy other containers
> with separate policies and attributes. (We already have this working
> incidentally)
> 
> The problem comes when PERMIS is invoked. The DN coming into PERMIS will
> be of the e-Science DN type, whereas the attributes we have issued with
> DIS will be living in our own custom LDAP (signed by our own CA) with
> its own naming structure.
> 
> I have an idea of mirroring/copying the attributes for a particular user
> on the same LDAP but with the placeholder name of the UK e-Science DN
> type (a fudge I know - I'm also not 100% sure this is legal in LDAP).
> Then when PERMIS receives a UK DN from the Globus proxy it can find the
> attributes for the corresponding user. However, will PERMIS care that
> the e-Science certificate was signed by the UK root CA when it does the
> signature check for the Attribute Certificate (signed by our SoA)? 

No PERMIS does not care who signed PKCs, this is a feature of the 
signature checking method, which is usually code provided by someone else.

PERMIS does care who signed ACs. The PERMIS policy says who is allowed 
to sign ACs, and if delegation is supported. If a trusted AA did not 
sign the AC, then the AC will be rejected.

Also,
> would it complain that the attribute certificate will contain a DN
> (holder name) that is different from the DN it is stored in (the UK DN)?

Yes PERMIS does care about this. The AC will be rejected. This is 
because your PEP told PERMIS that the authenticated name of the user was 
DN1, so it will only accept ACs issued to DN1. Any ACs issued to DN2 
belong to someone else, so are discarded.

regards

David

> I realise some of the above may violate LDAP rules but I want to check
> first if PERMIS would disallow it anyway.
> 
> Many thanks!
> John
> 
> ----------------------------------------
> Dr. John Watt, National e-Science Centre
> University of Glasgow,  Glasgow  G12 9BY
> Tel: 0141 330 8647    Fax: 0141 330 8625 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: [log in to unmask]
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

December 2020
April 2020
September 2019
September 2017
May 2015
June 2013
November 2012
October 2012
September 2012
June 2012
May 2012
April 2012
March 2012
January 2012
August 2011
June 2011
May 2011
April 2011
March 2011
August 2010
July 2010
April 2010
February 2010
October 2009
August 2009
January 2009
October 2008
September 2008
July 2008
January 2008
September 2007
August 2007
January 2007
December 2006
September 2006
August 2006


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager