blank.gif (807 bytes)

Globus: GSI v2.0: Authentication and Authorization Checks

Authentication Checks

The following are in addition to standard X.509 certificate path validation checks performed by OpenSSL.

  1. Every Certification Authority (CA) in the peer's chain must have a signing_policy file present in the trusted certificates directory on the local system. The file contains one or more namespace prefixes. Any certificate issued by the CA must have a subject name matched by one or more of the prefixes. This comparison is done in a case-sensitive manner.

Authorization Checks

After authentication one of the following authorization checks is normally done:
  1. Services will typically call gss_assist routines to check for the presence of the DN in the grid-mapfile and map it to a local username. This check is done in a case-sensitive manner.
  2. Clients connecting to a service will normally expect a host or service certificate. In this case the common name (CN) of the DN is expected to contain the hostname on which the service. This comparison is done in a case-insensitive manner.
  3. If the client specified an explicit DN that it expected, this comparison is done using OpenSSL's X509_NAME_loneline() and strcmp(), which is a case-sensitive comparison.
  4. If the application is using GlobusIO and passes in an explicit DN, GlobusIO does this comparison in a case-sensitive manner.
  5. A application may just get the DN returned to it directly, either through GlobusIO authorization callback functionality or by using the GSSAPI directly, in which case it's up to the application how authorization is performed.