[AG-DEV] AG3 certificates
Christoph Willing
willing at itee.uq.edu.au
Thu Jan 19 05:55:00 CST 2006
On 19/01/2006, at 7:54 PM, Thomas D. Uram wrote:
> Chris: Comments inline...
>
> On 1/18/06 11:50 PM, Christoph Willing wrote:
>> I see that certificate management has been removed from
>> VenueClientUI.py with the comment:
>> # - Disabled for 3.0: No client-side auth support
>> Initially I was looking for a way to request/retrieve/install
>> user certificates - but it seems now that they're not needed.
>> Well, after deleting the certificate I was using (with
>> certmgr.py), I find I can still start the VenueClient. However
>> the VenueServer won't start without it.
>> At the moment then, if someone wanted a certificate, they'd have
>> to have an AG2 VenueClient installed to retrieve a certificate
>> (Certificate Manager can request it, certmgr could install it,
>> but there's no way to retrieve it after the request is approved).
>
> I'm able to use the standalone CertificateManager.py to retrieve
> certs.
> Is that failing for you?
Oh - I didn't realise that the CertificateRequestTool UI changes if
there is an outstanding cert request. When I first ran it to request
a cert, there was nothing in the UI to to retrieve a cert. Now that
I've run it again, a different interface has appeared enabling
retrieval. Very clever!
>> What about the longer term? VenueClients will have, or will be
>> able to have, certificates eventually won't they?
>
> Yes. The complication is that the VenueClient really wants to do
> single
> sign-on as in 2.x with proxy certificates, so that the authenticated
> identity can be used by the VenueClient and shared applications and
> other standalone apps, but we didn't have that mechanism available
> to us until just recently (OpenSSL 0.9.8). Current thinking is that
> we will do single signon using the proxy support in OpenSSL for the
> next release, but it will remain a Venue option whether a
> cert is required or not.
Thats a relief. I know many people aren't very interested in
authentication/security for ordinary meetings. However in some areas
(e.g. remote instrumentation), AG won't get a look in without it.
Imagine making some $million scientific instrument available via a
mechanism with no security. It just won't happen.
chris
Christoph Willing +61 7 3365 8350
QPSF Access Grid Manager
University of Queensland
More information about the ag-dev
mailing list