|
Globus:
GSI v2.0: Authentication and Authorization Checks
Authentication Checks
The following are in addition to standard X.509 certificate path
validation checks performed by OpenSSL.
- Every Certification Authority (CA) in the peer's chain must have a signing_policy
file present in the trusted certificates directory on the local
system. The file contains one or more namespace prefixes. Any
certificate issued by the CA must have a subject name matched by one
or more of the prefixes. This comparison is done in a case-sensitive
manner.
Authorization Checks
After authentication one of the following authorization checks is normally done:
- Services will typically call gss_assist routines to check for the presence of
the DN in the grid-mapfile and map it to a local username. This check is done in a
case-sensitive manner.
- Clients connecting to a service will normally expect a host or
service certificate. In this case the common name (CN) of the DN is
expected to contain the hostname on which the service. This comparison
is done in a case-insensitive manner.
- If the client specified an explicit DN that it expected, this
comparison is done using OpenSSL's X509_NAME_loneline() and strcmp(), which
is a case-sensitive comparison.
- If the application is using GlobusIO and passes in an explicit DN,
GlobusIO does this comparison in a case-sensitive manner.
- A application may just get the DN returned to it directly, either
through GlobusIO authorization callback functionality or by using the
GSSAPI directly, in which case it's up to the application how
authorization is performed.
|