On Mon, Mar 03, 2008 at 09:39:05AM -0500, Jeffrey Altman wrote: > I'm curious. What role would NIMv2 play in acquiring the X.509 proxy > certificates? Would you be using an X.509 client certificate to obtain the > proxy certificates? Much as the Kerberized Certificate Authority uses > Kerberos tickets to obtain X.509 certificates today?
A proxy certificate is derived from a standard X.509 certificate of a user and is signed not by a CA but with the private key corresponding to the user's X.509 certificate (or another proxy down the path). So, the principle is similar to that of the kCA but no service is contacted and key generation and signing is done localy. The resulting proxy certificate resembles to a kerberos ticket - its life is short and is accessible for user's grid applications transparently. We also use proxy certificates to store some authorization data to proxy certificates (such as a signed list of groups), which is later used by services to make access control decisions. NIM gives us a user interface to manage proxies and embedded authorization attributes. cheers, Daniel _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev