User:Wvengen@nikhef.nl/Globus certificates for Users
To use a (gLite or Globus) grid one needs a certificate. This comprises a private key that belongs to the user, and a public certificate that is signed by a certificate authority. While this method is generally seen as secure and scalable, user experience is often not optimal. One of my goals is to make this as seamless as possible to end-users of the grid.
There are a couple of security requirements which must be met, as defined in the guidelines for protection of private key data:
- The private key must be protected with a passphrase and not publicly accessible.
- The private key must be generated using trustworthy cryptographic software.
- The private key can only be transferred over secure networks, but it is better to use proxy certificates instead.
Existing software requirements
All kinds of applications that interact with the grid need to find the user's credentials:
- Web browsers to access protected websites, like the VOMS signup page, job monitors, and protected collaboration areas.
- gLite/Globus utilities to operate on jobs and files on the grid, like voms-proxy-init.
- A user working on a user-interface (UI) needs to have either its certificate their (if trusted) or its proxy
The certificate and key need to be accessible both by Globus tools and the web browser.
- jGridstart: a Java Web Start application that guides the user through all steps required for obtaining and installing a certificate
- Globus-PKCS11: access the Globus certificate from the browser
- libbrowser: access browser certificates from Java
- Storing the user's key and certificate on a remote secure server. This would allow seamsless integration with web-based portals (though it would need to be updated and maintained).
- Use a robot certificate for each application. The user then interacts with a portal with its own authentication. (1) (2) This is persued in our LGIportal project, together with the lgipilot.