GRIDportal RFC01 : authentication mechanism

pages: 01 | 02 | 03 | 04
User interface

Register at GRIDportal

Please be advised that you must enter a valid email address. You will need this address later to complete the registration procedure.
NOTE: Please do take great care in not forgetting the username or password you enter below. There is no possibility of looking them up for you, if you become locked out of your account, you will have to register a new one.
first name:
last name:
email address:
The top fields are necessary to store in the certificate. The username is needed to keep track of the user on GRIDportal. A password is needed to create a certificate.

The input to the certificate is the above form, including the password. The same password is used for accessing GRIDportal. The same password will later be used to store the certificate with myProxy.
To generate a certificate we need grid-cert-request, but since that is an interactive program, we can use the GridCertRequest java class from CoGkit and write a simple client to do the same.

The security angle

A certificate is considered compromised once the private key is seen by the opposite party, which is GRIDportal. However, our goal is to build a user friendly system, so the user should not have to do anything on the workstation. The certificate is here created and subsequently sent to a certificate authority for signing. The user will also download it. It is then removed from the server.

Proposed solution: Let us first ask ourselves: what is the security threat exactly of the private key being revealed to the portal? Who can abuse it? The local Unix users, correct? Then what about deploying all of GRIDportal on a dedicated box, with just the components needed by GRIDportal installed (including NordugGrid/ARC client) and seal it off from all users? Would that not solve the problem?