wiki:WikiStart
Last modified 10 years ago Last modified on 08/30/07 17:07:38

Welcome the UABgrid CA project site

Background

The UABgrid CA is the heart of the UABgrid trust fabric. It's provides the PKI trust root for UABgrid and asserts the identity of users and resources. It is important to think of UABgrid CA not as a "stodgy old-school CA" but a modern infrastructure element that asserts identity. This distinction is subtle but significant. As an identity assertion tool it provides a way to confirm the identity of users and resources. These identities have a variety of uses. They are applied to computer resources in a traditional way, typically the assertion lasts a year and is used in an SSL transaction to identify requested resources to clients. Identity assertions of users are potentially much more ephemeral and are closely tied to the SAML identity assertions that drive the federated identity infrastructure of UABgrid. Essentially, a user certificate should be thought of as a transport medium for user identity asserted by (ie. known by) UABgrid. In all cases, user idenities are issued to UABgrid by external idenity providers using the Shibboleth federated identity infrastructure.

User certificates are issued using the GridShib? CA and will likely have a maximum lifetime of 90-days, and that only for the most qualified users, ie. faculty/staff/students of source institutions. Other identities may be resticted to 14-day maximums. By default the identity assertions are likely to be in the range of 8-12 hours. That is they will be tied closely to the lifetime of overall UABgrid application sessions. These policies are still evolving but you should get the idea that these are not the type of weighty certificates from traditional CAs. They simply assert an identity know to UABgrid. That identity will typically be an ePPN.

With old-school CAs there is a lot of value place in having a person's legal name appear in DN. This typically thought to convey some sense of authorization. This is inappropriate. Authorization doesn't come from the structure of the DN. Authorization comes from authorization attributes. These attributes are maintained by the VO infrastructure of UABgrid. It is that infrastructure that will issue the attributes to clients that request them based on the associated identity contained in the client certificate.

This discussion will likely be expanded upon but should give you a sense of the power and flexibility contained in the UABgrid CA.

Components

The UABgrid CA has four primary components:

  1. GridShib? CA - used to issue certificates via the web to end users
  2. MyProxy? - used to store proxy certificates
  3. PHPki - a web interface used for signing resource certificates and general cert mgmt
  4. OpenSSL - the application that manages and signs CSRs

The last two elements have been the main components of UABgrid CA up till now. In the present configuration PHPki is used to issue certificates to users but there is a catch, key-escrow. This is an undesirable feature for non-repudiation, ie. it's a security risk. It's served the purpose well for now but will be retired from this function in UABgrid2, being replaced by GridShib? CA. PHPki will still be used to allow administrators to have resource CSRs signed thereby issuing the UABgrid resource certs.

The repository currently contains the web-application code for the UABgrid version of PHPki. This is stock code has been modified to trust external authentication. That is, it uses REMOTE_USER to identify to subject of the certificate. In it's new use it will use this same value (now populated by ePPN) to allow resources owners to manage their certificates.

Notes

  • UABgridCA_1 - Notes on UABgrid On-line CA version 1 configuration (historical)
  • BuildingUABgridCA - Notes on construction of UABgrid On-line CA

References