On Wed, Jul 23, 2008 at 11:00 AM, Charles Bacon <[EMAIL PROTECTED]> wrote: > On Jul 23, 2008, at 8:37 AM, Alan Sill wrote: > >> Personally, I wish the Globus team would de-emphasize its inclusion of >> SimpleCA and decouple it from the Globus documentation. > > If you can recommend an alternative that would get new users up and running > in a demo environment, I would love to hear about it.
Replace the SimpleCA with 1) a SAML identity provider (IdP) that issues holder-of-key SAML assertions, and 2) a Security Token Service (STS) that converts a holder-of-key SAML assertion into an X.509 credential. A non-browser client presents a SAML request and an X.509 certificate to the IdP. The latter is a self-signed certificate presented via SSL/TLS client auth. The user behind the client authenticates to the IdP with a username/password via HTTP basic auth or WS-Security Username Token Profile. The IdP binds the key in the certificate to the SAML assertion (i.e., holder-of-key) and signs the assertion. The client presents the signed holder-of-key SAML assertion and the X.509 certificate to the STS, again via SSL/TLS client auth. The STS verifies the signature on the signed holder-of-key assertion and confirms that the key bound to the assertion is the same key bound to the certificate. It then issues an X.509 credential to the user. Joana Trindade has implemented a prototype of the first half of this pair of protocol exchanges. Another GSoC student was working on the STS but I haven't heard about the status of that project. In the interim, it may be possible to bind the holder-of-key SAML assertion to a proxy certificate using GridShib SAML Tools. This requires modification to GSI since the end-entity certificate is self-signed. The trust is in the SAML assertion, not the proxy certificate chain. Think of the proxy that contains the trusted SAML assertion as an independent proxy. (Messy, I know, which is why the STS is desirable.) Tom
