Monday, April 20, 2009

User Credential Security

Peter, Vaughn and I were talking the other day about how security configuration for authentication will differ between the current release of Grid Publisher and the future roll out plan. The current release of Grid Publisher uses the existing CDC credential/authentication infrastructure of SDN for issuing user certificates and authenticating users and VeriSign for creating host certificates for nodes. We're doing this because it's simpler initially. But to scale this would be expensive and would also put a large amount of control solely in CDC's hands.

So I created some models on the wiki to try to represent where we want to be with PHGrid in the future. Basically, I see PHGrid supporting multiple CAs that users and nodes can use for certificates. This means that there isn't a single CA for PHGrid but a trust mesh of CAs who can identify participants on the grid.

Of course, nodes still assign rights and privileges to subjects identified by the certificates, but at least we don't get into an expensive component that could limit grid sustainability.

Please let me know your thoughts about how in/valid you think this will be.

No comments: