JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for PERMIS-DEV Archives


PERMIS-DEV Archives

PERMIS-DEV Archives


PERMIS-DEV@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

PERMIS-DEV Home

PERMIS-DEV Home

PERMIS-DEV  December 2006

PERMIS-DEV December 2006

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: UK e-Science DN and local Attribute Authorities

From:

John Watt <[log in to unmask]>

Reply-To:

This list is for software developers that use PERMIS <[log in to unmask]>

Date:

Thu, 21 Dec 2006 16:25:04 -0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (129 lines)

Hi David.
Thanks for the reply below.
So the DN in the Globus certificate must be present in the LDAP for ACs
to be extracted and the signature verified. If I created a PKI for the
DIS that issues certificates (and ACs) to users with the correct naming
structure, i.e.:

      cn=someone,l=Compserv,ou=Glasgow,o=eScience,c=uk

Instead of 

	cn=someone,ou=nesc,o=glasgow,c=gb

Would this be enough to link the national UK e-Science certificate DN to
the locally issued AC? If PERMIS doesn't check the signature on the PKC,
would it be enough for it to see the DNs match?

Cheers, and merry christmas from all at NeSC!
John


-----Original Message-----
From: This list is for software developers that use PERMIS
[mailto:[log in to unmask]] On Behalf Of David Chadwick
Sent: 01 December 2006 20:14
To: [log in to unmask]
Subject: Re: UK e-Science DN and local Attribute Authorities

Hi John

I will answer your questions below, but one of the issues you are
raising is the more general one about a user who is known by different
IDs in different domains, and how can all his attributes from all of his
IDs be used correctly. GridShib has already hit this problem, as have
many others. Several people have been working on a general solution to
this problem, rather than a short term application specific hack, but we
dont have one yet. We do have a proposal into the last JISC
e-infrastructure call to solve the problem, so if we get funded we
should end up with a standard solution. But for now, hacks are all that
we can hope for.

John Watt wrote:
> Hi,
> 
> We are looking into a project to interoperate 
> Shibboleth/GT4/PERMIS/GridSphere (no less!) and I have a question 
> about the signing checking on PERMIS.
> 
> One of our goals is to be able to submit jobs to the NGS, this 
> inevitably forces us to adopt the UK e-Science Certificate naming 
> convention/certificates. We are pretty much resigned to have to submit

> jobs as UK e-Science users.
> 
> However we would like to use PERMIS/DIS to enforce local access 
> control to Globus. We would do this by deploying PERMIS in the Globus 
> container and issuing local attributes with DIS. This allows us to use

> DIS's dynamic cross-organisation features as we may deploy other 
> containers with separate policies and attributes. (We already have 
> this working
> incidentally)
> 
> The problem comes when PERMIS is invoked. The DN coming into PERMIS 
> will be of the e-Science DN type, whereas the attributes we have 
> issued with DIS will be living in our own custom LDAP (signed by our 
> own CA) with its own naming structure.
> 
> I have an idea of mirroring/copying the attributes for a particular 
> user on the same LDAP but with the placeholder name of the UK 
> e-Science DN type (a fudge I know - I'm also not 100% sure this is
legal in LDAP).
> Then when PERMIS receives a UK DN from the Globus proxy it can find 
> the attributes for the corresponding user. However, will PERMIS care 
> that the e-Science certificate was signed by the UK root CA when it 
> does the signature check for the Attribute Certificate (signed by our
SoA)?

No PERMIS does not care who signed PKCs, this is a feature of the
signature checking method, which is usually code provided by someone
else.

PERMIS does care who signed ACs. The PERMIS policy says who is allowed
to sign ACs, and if delegation is supported. If a trusted AA did not
sign the AC, then the AC will be rejected.

Also,
> would it complain that the attribute certificate will contain a DN 
> (holder name) that is different from the DN it is stored in (the UK
DN)?

Yes PERMIS does care about this. The AC will be rejected. This is
because your PEP told PERMIS that the authenticated name of the user was
DN1, so it will only accept ACs issued to DN1. Any ACs issued to DN2
belong to someone else, so are discarded.

regards

David

> I realise some of the above may violate LDAP rules but I want to check

> first if PERMIS would disallow it anyway.
> 
> Many thanks!
> John
> 
> ----------------------------------------
> Dr. John Watt, National e-Science Centre University of Glasgow,  
> Glasgow  G12 9BY
> Tel: 0141 330 8647    Fax: 0141 330 8625 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security The Computing Laboratory,
University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: [log in to unmask]
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk Entrust key validation
string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5

*****************************************************************

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

December 2020
April 2020
September 2019
September 2017
May 2015
June 2013
November 2012
October 2012
September 2012
June 2012
May 2012
April 2012
March 2012
January 2012
August 2011
June 2011
May 2011
April 2011
March 2011
August 2010
July 2010
April 2010
February 2010
October 2009
August 2009
January 2009
October 2008
September 2008
July 2008
January 2008
September 2007
August 2007
January 2007
December 2006
September 2006
August 2006


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager