Tuesday, November 20, 2007

X.509 Certificate & Grid

By Stephan Erberich

X.509 do not use IP information. The cryptographic key of the certificate authenticates the sender being part of the same security domain. That's why you can logon to your bank account from any computer because it uses single sign on via ssl and cert creation bases on your username/passwd.

In your case healthgrid security domain will issue you an end entityX.509 certificate which you can deposit in a cert bank, the myproxy service (also on healthgrid). Then you can checkout proxy certificates of limited lifetime (e.g. tokens) to authenticate yourself or a MEDICUS services to access the healthgrid resources.

One more word on this: Authentication is not equal authorization. Thus knowing that a service request comes from "Ken Hall", does not mean that you will gain access to all services. This will depend on your role in the Grid. Actually roles becoming obsolete with SAML assertions which use attributes instead of roles.

Now what you need in order to provide services on a server is a host certificate which allow the host to validate the authenticity of the user cert presented to services running on the host. These certificates use the FQHN as distinguished name (DN) in the certificate. Thus a host cert is not bound to an IP address, but to DNS FQHN.

Hope this untangled the matter a bit.

No comments: