On Wed, 23 Jul 2008 23:00:06 -0400 "Tom Scavo" <[EMAIL PROTECTED]> wrote:
> On Wed, Jul 23, 2008 at 11:58 AM, Tom Scavo <[EMAIL PROTECTED]> wrote: > > On Wed, Jul 23, 2008 at 11:00 AM, Charles Bacon <[EMAIL PROTECTED]> wrote: > >> > >> If you can recommend an alternative that would get new users up and running > >> in a demo environment, I would love to hear about it. > > > > Replace the SimpleCA with 1) a SAML identity provider (IdP) that > > issues holder-of-key SAML assertions, and 2) a Security Token Service > > (STS) that converts a holder-of-key SAML assertion into an X.509 > > credential. > > > > A non-browser client presents a SAML request and an X.509 certificate > > to the IdP. The latter is a self-signed certificate presented via > > SSL/TLS client auth. The user behind the client authenticates to the > > IdP with a username/password via HTTP basic auth or WS-Security > > Username Token Profile. The IdP binds the key in the certificate to > > the SAML assertion (i.e., holder-of-key) and signs the assertion. > > Let me take this just a little bit further and see if we can > straighten out the mess :-) Let's *not* use a self-signed certificate > since that breaks GSI. Instead assume that the end-entity certificate > is "meaningless," that is, signed by the "meaningless CA." (See this > spec for definitions of these terms: > > http://www.connotech.com/pkc-only-meaningless-certs.pdf > > Basically, the private key and DN of the meaningless CA are well-known > quantities.) An end-entity certificate signed by the meaningless CA > is no better than a self-signed certificate, but at least it doesn't > break GSI. What in GSI breaks? The basics at least seem to work, I haven't had problems dropping a self-signed cert into a client's trusted cert directory (done this with both C and Java in the past, maybe something is different now?). For example: wget http://www-unix.mcs.anl.gov/~tfreeman/ca.sh.txt sh ca.sh.txt something.com 2>/dev/null 1>hostcert.pem mv /tmp/host.key hostkey.pem scp hostcert.pem hostkey.pem [EMAIL PROTECTED]:/etc/grid-security/ [ submit job: host authz failure ] cp hostcert.pem $X509_CERT_DIR [ submit job: host authz success ] Tim > > Now put the meaningless CA certificate in the Globus trusted > certificates directory and make this relatively minor change (I think) > to the GSI authentication handler: If the presented proxy certificate > chain is rooted in the meaningless CA, set the Globus identity to > "anonymous." In the gridmap (if used), the anonymous user might map > to "guest," or maybe policy dictates that anonymous users don't have > access, period. That's okay, as long as a proxy rooted in the > meaningless CA is validated in the same way that a proxy rooted in a > trusted CA is validated. > > What this does is open the door to the previous use case (details > omitted). Now I can write a PIP that traverses the proxy certificate > chain looking for a trusted holder-of-key SAML assertion. If one is > found, the PIP populates a distinguished "SAML identity" and passes > control to a PDP that inspects the security contexts of the Globus > identity and the SAML identity in sequence. > > Does this make sense? If you provide support for the meaningless CA > (or something like it), I'll do the rest :-) > > Tom >
