[AG-TECH] Certificates doubts
Thomas D. Uram
turam at mcs.anl.gov
Thu Jun 22 17:03:01 CDT 2006
On 6/18/06 9:42 AM, carlosperezs at alumnos.uvigo.es wrote:
> Halloo together:
> I come from the University of Vigo, Galiza, Spanien. It hat several Venue
> Servers for AccessGrid. One of them, is use to test Sw.
> What I would like to do is to create a Certificate Server for this Venue Server
> and for the clients that will use this Venues Server, in order to be uusedthis
> Venue only by little users. Is it possibly?
You don't have to issue your own certificates to control who can access
your venues. You could use the authorization mechanisms in the Access
Grid sofware to limit access to only those users you wish to allow.
Of course, if you want to use your own certificates, you could do that
instead. In that case, you would
only be allowing certificates that you had issued, and it would be
checked at the transport level.
> Besides i have 2 doubts about the certificates:
> When I connect to a Venue Server, my client venue send my anonym certificate.
> The server validate it and send to my client its own certificate. After , occurs
> the mutual autenthification . Is it correct?
On connect, the client and server validate each other's certificate
chain, and the server authorizes
the client based on its identity and the current venue authorization policy.
> For the validityng process venue server asks to the Certificate Authoritat
> (Argonne ) if my Certificate is or not out of date. s it correct?
The certificate validity dates are checked locally and by the server.
There is no communication
with the certificate authority regarding the validity of your
certificate. This would be done using
a Certificate Revocation List (CRL) and some mechanism for performing a
check against the CRL,
but we don't currently do any such checking.
More information about the ag-tech