[seek-dev] [Bug 1163] New: - install and configure certificate authority system for ecogrid

bugzilla-daemon@ecoinformatics.org bugzilla-daemon at ecoinformatics.org
Fri Sep 26 14:43:59 PDT 2003


           Summary: install and configure certificate authority system for
           Product: SEEK
           Version: unspecified
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: ecogrid
        AssignedTo: jones at nceas.ucsb.edu
        ReportedBy: jones at nceas.ucsb.edu
         QAContact: seek-dev at ecoinformatics.org

We need a common mechanism for authenticating users for EcoGrid.  We have
general agreement that the OGSA Grid Security Infrastructure (GSI) is the right
way to handle this.  For that to work, every user needs to have a public key
certificate which is signed by a certificate authority (CA).  In Seattle Sept 23
the EcoGrid team agreed that the best way to handle this is through a
hierarchichal certificate granting structure.  A root EcoGrid CA will sign
certificates for various organizations such as LTER and NCEAS, and they in turn
will sign certificates for users in their organization.  This 'chain-of-trust',
if properly managed, should establish strong security and be scalable to the >
5000 scientists in our current personnel directories.

Each of these trusted CA's would probably also act as one of the distributed
EcoGrid Registries for locating services throughout the grid.

For this to work, we need a simple system in place for users to request
certificates and for the CA admins to sign them.  Matt agreed to tackle this.

The tricky issues remaining here include:
  1) What system can be used for distributing DN info to mapfiles?
  2) How can browser-based interfaces be used with certificates?

More information about the Seek-dev mailing list