Thursday, 25 March 2010

A matter of trust

With apologies for stating the obvious: when you are providing a service on a grid, you are expecting other people to make use of it.

Before you do, you want to be as sure as you can be that your guests are who they say they are.

The tools we use to establish trust are certificates. We might try to hide the details but we are not going to abandon the technology.

I am not going to explain how certificates work. The basic idea - public key cryptography - is used to establish trust to websites using 'https' and between hosts using Secure Shell. There is some not-exceptionally-scary mathematicsinvolved and some willfully-obscure jargon (X509, PKCS#1, CSR, PKCS#12). This should not hide the key idea:
A certificate is a statement that someone you trust will vouch that the certificate holder is who they claim to be for a limited time.

For example:

  • The UK eScience certificate used by the NGS and by GridPP - and which our users will have buried in a web browser or in *.pem or *.p12 files somewhere - states that the the UK eScience certification authority will vouch for the owner for around 13 months. This is usually the most valuable certificate that our users have and will be protected by some kind of passphrase.
  • A proxy certificate can be created by the holder of a UK eScience certificate. Proxies have a shorter lifetime - usually hours or days- and grants the holder of the proxy the right to act on behalf of the creator. Proxy certificates are the currency of the grid and are not necessarily passphrase-protected.
  • Virtual organisations of the kind used throughout the EGEE project can vouch that a proxy holder is a valid member of that organisation by adding an assertion to the certificate.
So what has this to do with the NGS's ongoing research and development effort?

While certificates are invaluable, no one would claim that they are easy to use.
They can go wrong in interesting ways:
  • You can get bitten by the limited lifetime built into the certificate. If things are running slowly, the proxy can expire before it is needed. Sometimes the assertions associating a certificate to a virtual organisation can expire before the proxy itself.
  • Obtaining certificates is complicated by the different ways web-browsers handle certificates and by the range of existing tools.
So the NGS is focusing its effort on easing the pain.
  • We have developed the certificate wizard: a friendly face to the less-friendly command-line tools.
  • There is a major project underway at STFC to replace the UK certification authority's web-based interface with simpler stand-alone utilities for managing certificates.
  • We provide a certificate trust service which can generate short-lived certificates on request for anyone with a account in a institution within the UK Access Management Federation. These can be used to apply for NGS time, use the NGS portal and make use of selected NGS partner sites.
To be useful to the research communities, the UK grids needed to establish a network of trust that could cover all researchers in all UK academic institutions. We now have our network and we are going to make it easier for you to join it.

No comments: