Multiple identity providers in NetIdMgr
Daniel Kouril
kouril at ics.muni.cz
Mon Mar 3 10:33:25 EST 2008
On Mon, Mar 03, 2008 at 09:39:05AM -0500, Jeffrey Altman wrote:
> I'm curious. What role would NIMv2 play in acquiring the X.509 proxy
> certificates? Would you be using an X.509 client certificate to obtain the
> proxy certificates? Much as the Kerberized Certificate Authority uses
> Kerberos tickets to obtain X.509 certificates today?
A proxy certificate is derived from a standard X.509 certificate of a
user and is signed not by a CA but with the private key corresponding to
the user's X.509 certificate (or another proxy down the path). So, the
principle is similar to that of the kCA but no service is contacted and
key generation and signing is done localy. The resulting proxy
certificate resembles to a kerberos ticket - its life is short and is
accessible for user's grid applications transparently.
We also use proxy certificates to store some authorization data to proxy
certificates (such as a signed list of groups), which is later used by
services to make access control decisions.
NIM gives us a user interface to manage proxies and embedded
authorization attributes.
cheers,
Daniel
More information about the kfwdev
mailing list