Presentation on theme: "Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002."— Presentation transcript:
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002
John Gordon - DataGrid Workshop, Frascati, Oct Certificate Authorities u RAL has run a CA for UKHEP since October 2000 u CLRC GSC runs a prototype CA for the UK eScience Core Programme n You can use it now CLRC is developing ‘ The UK e-Science CA’ u The UK e-Science CA will issue personal, server, and service certificates
John Gordon - DataGrid Workshop, Frascati, Oct Personal : /C=UK/O=eScience/OU= /L= /CN= u The CN should be a personal name, not a role, i.e. "Joe Bloggs“ rather than "postmaster" or "RA". u The OU is the UK e-Science project of the Registration Authority, not (necessarily) the project that the user belongs to. u Similarly, L is the locality of the RA. u For personal certificates, we keep the address provided by the user, and this is the only personal information we keep, and it is not made public.
John Gordon - DataGrid Workshop, Frascati, Oct Server certificates : /C=UK/O=eScience/OU= /L= /CN= / = u Here fqdn is a Fully Qualified Domain Name, is an address of a contact person, a person who is responsible for that host u (this address is publically available, but that's the same with DNS for example, the host's DNS entry will also have an address).
John Gordon - DataGrid Workshop, Frascati, Oct Service certificates : u Are the same as server certificates. Except the CN is u.../CN= / / = u and service is the IANA assigned name for the service (not sure yet if we allow for non-standard port-numbers, probably we should but it's not in there yet).
John Gordon - DataGrid Workshop, Frascati, Oct u For further details, consult u u Service numbers: u u (yes, gsiftp is in there)
John Gordon - DataGrid Workshop, Frascati, Oct Authorisation u Important to separate this from Authentication u Certificates above say nothing about membership of projects or VOs u Working with Globus on Community Authorisation Service (CAS) u Current authorisation by gridmapfile (Andrew McNab)