GRIDportal RFC01 : authentication mechanism

pages: cert_new | cert_sign | myproxy_reg | user_login

Version 1.1
For reasons of maintaining better security, a new authentication model was devised. The main security threat is seen to be the system of sending certificates to the server. A compromised server could allow an attacker to intercept private keys. A compromise solution is presented here, which will hopefully both improve security and still accomodate a reasonably user friendly mechanism.

User interface

Register on GRIDportal

Once you have a signed certificate, you are required to register with GRIDportal. Your certificate will be transferred to GRIDportal and after this is complete, you will no longer need it on your computer.

certificate:	cert.pem
username:
password:

Design

We may as well call this "account activation". The purpose is to send the certificate to myProxy (socket connection, not through the portal) and store it there with the username/password the user supplied before.

We can let myProxy policy determine who gets access and who does not.

NOTE: This is where use of the client application ends, it is only required for registration, not for everyday use.

Implementation