[AG-DEV] AG3 certificates

Christoph Willing willing at itee.uq.edu.au
Thu Jan 19 05:55:00 CST 2006 

On 19/01/2006, at 7:54 PM, Thomas D. Uram wrote:

> Chris:  Comments inline...
>
> On 1/18/06 11:50 PM, Christoph Willing wrote:
>> I see that certificate management has been removed from   
>> VenueClientUI.py with the comment:
>>     # - Disabled for 3.0: No client-side auth support
>> Initially I was looking for a way to request/retrieve/install  
>> user  certificates -  but it seems now that they're not needed.  
>> Well, after  deleting the certificate I was using (with  
>> certmgr.py), I find I can  still start the VenueClient. However  
>> the VenueServer won't start  without it.
>> At the moment then, if someone wanted a certificate, they'd have  
>> to  have an AG2 VenueClient installed to retrieve a certificate   
>> (Certificate Manager can request it, certmgr could install it,  
>> but  there's no way to retrieve it after the request is approved).
>
> I'm able to use the standalone CertificateManager.py to retrieve  
> certs.
> Is that failing for you?

Oh - I didn't realise that the CertificateRequestTool UI changes if  
there is an outstanding cert request. When I first ran it to request  
a cert, there was nothing in the UI to to retrieve a cert. Now that  
I've run it again, a different interface has appeared enabling  
retrieval. Very clever!


>> What about the longer term? VenueClients will have, or will be  
>> able  to have, certificates eventually won't they?
>
> Yes.  The complication is that the VenueClient really wants to do  
> single
> sign-on as in 2.x with proxy certificates, so that the authenticated
> identity can be used by the VenueClient and shared applications and
> other standalone apps, but we didn't have that mechanism available
> to us until just recently (OpenSSL 0.9.8).  Current thinking is that
> we will do single signon using the proxy support in OpenSSL for the
> next release, but it will remain a Venue option whether a
> cert is required or not.

Thats a relief. I know many people aren't very interested in  
authentication/security for ordinary meetings. However in some areas  
(e.g. remote instrumentation), AG won't get a look in without it.  
Imagine making some $million scientific instrument available via a  
mechanism with no security. It just won't happen.


chris


Christoph Willing                           +61 7 3365 8350
QPSF Access Grid Manager
University of Queensland

More information about the ag-dev mailing list