Hi David.
Thanks for the reply below.
So the DN in the Globus certificate must be present in the LDAP for ACs
to be extracted and the signature verified. If I created a PKI for the
DIS that issues certificates (and ACs) to users with the correct naming
structure, i.e.:
cn=someone,l=Compserv,ou=Glasgow,o=eScience,c=uk
Instead of
cn=someone,ou=nesc,o=glasgow,c=gb
Would this be enough to link the national UK e-Science certificate DN to
the locally issued AC? If PERMIS doesn't check the signature on the PKC,
would it be enough for it to see the DNs match?
Cheers, and merry christmas from all at NeSC!
John
-----Original Message-----
From: This list is for software developers that use PERMIS
[mailto:[log in to unmask]] On Behalf Of David Chadwick
Sent: 01 December 2006 20:14
To: [log in to unmask]
Subject: Re: UK e-Science DN and local Attribute Authorities
Hi John
I will answer your questions below, but one of the issues you are
raising is the more general one about a user who is known by different
IDs in different domains, and how can all his attributes from all of his
IDs be used correctly. GridShib has already hit this problem, as have
many others. Several people have been working on a general solution to
this problem, rather than a short term application specific hack, but we
dont have one yet. We do have a proposal into the last JISC
e-infrastructure call to solve the problem, so if we get funded we
should end up with a standard solution. But for now, hacks are all that
we can hope for.
John Watt wrote:
> Hi,
>
> We are looking into a project to interoperate
> Shibboleth/GT4/PERMIS/GridSphere (no less!) and I have a question
> about the signing checking on PERMIS.
>
> One of our goals is to be able to submit jobs to the NGS, this
> inevitably forces us to adopt the UK e-Science Certificate naming
> convention/certificates. We are pretty much resigned to have to submit
> jobs as UK e-Science users.
>
> However we would like to use PERMIS/DIS to enforce local access
> control to Globus. We would do this by deploying PERMIS in the Globus
> container and issuing local attributes with DIS. This allows us to use
> DIS's dynamic cross-organisation features as we may deploy other
> containers with separate policies and attributes. (We already have
> this working
> incidentally)
>
> The problem comes when PERMIS is invoked. The DN coming into PERMIS
> will be of the e-Science DN type, whereas the attributes we have
> issued with DIS will be living in our own custom LDAP (signed by our
> own CA) with its own naming structure.
>
> I have an idea of mirroring/copying the attributes for a particular
> user on the same LDAP but with the placeholder name of the UK
> e-Science DN type (a fudge I know - I'm also not 100% sure this is
legal in LDAP).
> Then when PERMIS receives a UK DN from the Globus proxy it can find
> the attributes for the corresponding user. However, will PERMIS care
> that the e-Science certificate was signed by the UK root CA when it
> does the signature check for the Attribute Certificate (signed by our
SoA)?
No PERMIS does not care who signed PKCs, this is a feature of the
signature checking method, which is usually code provided by someone
else.
PERMIS does care who signed ACs. The PERMIS policy says who is allowed
to sign ACs, and if delegation is supported. If a trusted AA did not
sign the AC, then the AC will be rejected.
Also,
> would it complain that the attribute certificate will contain a DN
> (holder name) that is different from the DN it is stored in (the UK
DN)?
Yes PERMIS does care about this. The AC will be rejected. This is
because your PEP told PERMIS that the authenticated name of the user was
DN1, so it will only accept ACs issued to DN1. Any ACs issued to DN2
belong to someone else, so are discarded.
regards
David
> I realise some of the above may violate LDAP rules but I want to check
> first if PERMIS would disallow it anyway.
>
> Many thanks!
> John
>
> ----------------------------------------
> Dr. John Watt, National e-Science Centre University of Glasgow,
> Glasgow G12 9BY
> Tel: 0141 330 8647 Fax: 0141 330 8625
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security The Computing Laboratory,
University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: [log in to unmask]
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk Entrust key validation
string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
|