1 / 5

Enhancements in Proxy Certificates for Dynamic Entity Delegation in Grid Computing

This document outlines the motivation and approach for implementing Proxy Certificates (PC) in the realm of grid computing, where users need to dynamically create entities like computational jobs and manage their identities and permissions. The existing traditional certificate authority (CA) model is deemed too cumbersome for this dynamic environment. The proposed PC resembles an X.509 identity certificate, features critical extensions, and allows end entities to delegate rights selectively, adapting to various policies. Recent changes since draft-03 emphasize path validation improvements and specific ASN.1 modules.

nona
Download Presentation

Enhancements in Proxy Certificates for Dynamic Entity Delegation in Grid Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proxy Certificate Profile • draft-ietf-pkix-proxy-04 • Motivation: • Grid Computing – users dynamically creating entities (e.g. computational jobs) • Need to name created entities • Need to grant rights to created entities • Dynamic nature of creation makes tradition CA process too heavy weight Von Welch (welch@mcs.anl.gov)

  2. Summary of Approach • End entity creates Proxy Cert (PC) for created entity • Looks like X509 identity cert • Has critical extension identifying it as a PC • Has identity based off/scoped by EEC identity • But distinct and unique Von Welch (welch@mcs.anl.gov)

  3. Summary (cont) • Can contain intention of EE to delegate all/none/some of it’s rights to PC holder • Arbitrary policy for delegate • Define oid and policy blob • Policy defined for All (allows for “impersonation” in terms of authorization) • Policy defined for No rights delegated (allows for an “independent” proxy) • With PV changes, a PC chain works in place of standard EEC chain in TLS, SSL, etc. Von Welch (welch@mcs.anl.gov)

  4. Changes since Atlanta (draft-03) • Path validation now specified as additions to RFC 3280 • Based on feedback from PKIX • As opposed to modifications to 3280 • Describes steps for validating PC part of cert chain • Take outputs from 3280 PV and use to do PV on PC part of cert chain Von Welch (welch@mcs.anl.gov)

  5. Changes (cont) • ASN.1 module added • IETF/PKIX issued oids for defined policies • Correction of criticality keyUsage extension in Proxy Certificates • Must be critical only if EEC’s is critical Von Welch (welch@mcs.anl.gov)

More Related