Difference between revisions of "User:Wvengen@nikhef.nl/JGridStart"

From PDP/Grid Wiki
Jump to navigationJump to search
m (update roadmap)
(add note about grix)
Line 4: Line 4:
  
 
Meanwhile you can have a look at a [http://www.nikhef.nl/~wvengen/jgridstart02/jgridstart.jnlp user-interface mockup]. This may or may not be something that resembles the final product. Please remember that it doesn't work at all as of yet.
 
Meanwhile you can have a look at a [http://www.nikhef.nl/~wvengen/jgridstart02/jgridstart.jnlp user-interface mockup]. This may or may not be something that resembles the final product. Please remember that it doesn't work at all as of yet.
 +
 +
[http://grix.arcs.org.au/ Grix] is an existing program that aims for the same goal. It [User:Wvengen@nikhef.nl/JGridStart/Grix|may or may not be] a viable solution for us.
  
 
== Planned features ==
 
== Planned features ==

Revision as of 10:22, 20 March 2009

Using a computing grid requires authorisation and authentication. This is managed by asymmetric cryptography with client-side SSL certificates. Currently, setting this up requires the user to go through several steps that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling you to quickly proceed to actually using the grid.

jGridStart is currently being developed. I expect the first version to be ready somewhere in May 2009.

Meanwhile you can have a look at a user-interface mockup. This may or may not be something that resembles the final product. Please remember that it doesn't work at all as of yet.

Grix is an existing program that aims for the same goal. It [User:Wvengen@nikhef.nl/JGridStart/Grix|may or may not be] a viable solution for us.

Planned features

  • user-interface
    • both graphical user-interface for easy usage by unknowledgeable users
    • and command-line interface for cli addicts and testing.
    • the application should detect the state of affairs and present sensible actions
    • working on multiple platforms: Linux, Windows, Mac OS X at the least
  • single point-of-entry for management of user grid certificates, including
    • requesting a new certificate
    • installing certificates into different parts of the system (like internet browsers)
    • rekeying an (almost expired) certificate
    • sending revocation requests
    • switching between different certificates (like the default certificate in your ~/.globus)
    • importing/exporting a certificate for transfer
    • changing the private key passphrase
  • security checks
    • validate permissions of private keys
    • require passwords on places where private keys is stored
    • require passwords to pass a minimum strength test
    • check certificates against revocation lists
  • adaptable configuration so it can be deployed by other parties with moderate effort
    • location of web forms for interaction with certificate authority
    • content and properties of user's certificate
    • name and organisation texts


Roadmap

version 0.1

  • graphical and command-line user-interface
  • working on Linux, written with portability in mind
  • actions: request new certificate, install, request renewal
  • security checks
  • multiple-certificates interface additions when multiple certificates found

version 0.2

  • working on Linux, Windows, Mac OS X
  • tests using command-line interface

version 0.3

  • actions: request revocation, import, export, change passphrase
  • add the notion of archived certificates (expired or revoked) and implement in user-interface

version 0.4

  • gather and process user feedback
  • make it work with other RA backends as well


Notes of RA's

If you have something to add, please notify me!

  • frequently happening problems
    • people often send either a certificate signing request or the form instead of both
    • people often send a renewal as new request because they forget to send an S/MIME mail
  • feature requests
    • in registration form: identity-proof-document fields don't match the web interface ("nationality" instead of "document issuing country" and "document type")
    • a renewal should be sent automatically to the correct RA (same as original request but beware email changes)
    • in the RA interface "Authenticate request" an additional comment field would be handy
    • verify email by sending a confirmation link before accepting a certificate signing request


Server-side

jGridStart talks with a certificate authority using http requests. The application is delivered with a simple proof-of-concept certification authority that implements the required functionality. Also the existing DutchGrid CA web interface will be adapted to work with it.


Related documents

Related software

  • Grid Tools
  • SpectroGrid2 with a java web start based certificate manager (also here)
  • JaBaCATs Java Basic Certificate Authority Tools
  • Portecle - GUI to create, manage and examine keystores, keys, certificates, requests, revocation lists and more.
  • KeyTool IUI the cryptography GUI tool
  • gridshib-ca contains a java web start tool that installs user certificates
  • Grix is a Java gui application to help users handle security related tasks within a grid environment