JGridstart/Authentication

From PDP/Grid Wiki
Jump to navigationJump to search

<sidebar>

  • jGridstart
    • JGridstart|Home
    • JGridstart/Help|Help
    • JGridstart/Support|Support
  • jGridstart for ...
    • JGridstart/Certificate_Authorities|Certificate Authorities
    • JGridstart/Developers|Developers

</sidebar>jGridstart should support multiple authentication processes. At the moment, it only supports the "offline" method, but this is being changed.

The usual process for obtaining a certificate is:

  1. The user submits a request (CSR)
  2. The user has his/her identity vetted, e.g.
    • with username and password that has been associated to a user's identity before
    • with a security token supplied via Java Web Start
    • offline, by going to a registration authority in person with e.g. a passport
  3. The certificate authority creates and signs the user's certificate
    • by an automated system connected to the internet
    • offline, manually by a certificate authority operator
  4. The user retrieves his/her certificate

Identity vetting and certificate signing can be a manual step, greatly affecting the user experience of the process. The different scenario's need to be tackled separately for jGridstart to give a logical and out-of-the-way user-experience.

Offline identity vetting

The user uploads a certificate signing request and then visits a registration authority in person, which confirms the identity of the user (with a passport, for example) and the associated request. This is transferred to the certificate authority, which creates and signs the certificate.

jGridstart needs to display the instructions for offline identity vetting. Part of this procedure is printing a form with a token identifying the certificate signing request submitted. Between the submission of the request and the retrieval of the certificate is some time (for visiting the registration authority). The user-interface should clearly state the status of the request, and what is expected of the user.

Whether the certificate authority then signs the certificate online or offline doesn't matter that much, since there already is some time required for offline identity vetting.

jGridstart is currently tailored towards this procedure.


Online identity vetting

When the user's identity has been vetted before (e.g. with the creation of a login account at a certain institute), this can be used to check the identity instead of the offline method. When the user wants a certificate, it logs into his or her account and submits the request. In case of an online certificate authority, it can immediately retrieve the certificate. In case of an offline certificate authority, the user has to wait and retrieve it later.

Offline certificate authority

jGridstart's operation is not too different from offline identity vetting, only an extra login is required before submitting the request (or possibly before downloading the certificate).

Online certificate authority

With online identity vetting and an online certificate authority, there is no manual step involved, and the user can immediately retrieve the certificate. This is a different user-experience. The proposed order is:

  1. User logs in
  2. User submits the request and retrieves certificate in one run

This makes it a lot easier. Handling of multiple certificates is something to consider though, since certificates need not to be renewed anymore. Confusa uses this approach.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=JGridstart/Authentication&oldid=7658"