Using OGRO and CertiVeR to Improve OCSP Validation for Grids

Luna, Jesus; Medina, Manel; Manso, Oscar

doi:10.1007/11745693_2

Jesus Luna¹⁸,
Manel Medina¹⁸ &
Oscar Manso¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3947))

Included in the following conference series:

International Conference on Grid and Pervasive Computing

549 Accesses

Abstract

Authentication and authorization in many distributed systems rely on the use of cryptographic credentials that in most of the cases have a defined lifetime. This feature mandates the use of mechanisms able to determine whether a particular credential can be trusted at a given moment. This process is commonly named validation. Among available validation mechanisms, the Online Certificate Status Protocol (OCSP) stands out due to its ability to carry near real time certificate status information. Despite its importance for security, OCSP faces considerable challenges in the computational Grid (i.e. Proxy Certificate’s validation) that are being studied at the Global Grid Forum’s CA Operations Work Group (CAOPS-WG). As members of this group, we have implemented an OCSP validation infrastructure for the Globus Toolkit 4, composed of the CertiVeR Validation Service and our Open GRid Ocsp (OGRO) client library, which introduced the Grid Validation Policy. This paper summarizes our experiences on that work and the results obtained up to now. Furthermore we introduce the pre-validation concept, a mechanism analogous to the Authorization Push-Model, capable of improving OCSP validation performance in Grids. This paper also reports the results obtained with OGRO’s pre-validation rules for Grid Services as a proof of concept.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

An Architecture for Trustworthy Open Data Services

Trust Revoked — Practical Evaluation of OCSP- and CRL-Checking Implementations

Formally verified bundling and appraisal of evidence for layered attestations

Article 04 September 2022

References

Housley, R., et al.: RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (April 2002)
Google Scholar
Myers, M., et al.: RFC 2560: X.509 Internet Public Key Infrastructure, Online Certificate Status Protocol – OCSP (June 1999)
Google Scholar
The Globus Toolkit 4, http://www.globus.org
Tuecke, S., et al.: RFC 3820: Internet X.509 Public Key Infrastructure (PKI), Proxy Certificate Profile (June 2004)
Google Scholar
OCSP Requirements for Grids. Global Grid Forum, CA Operations Work Group. Working Document (May 2005), https://forge.gridforum.org/projects/caops-wg
CertiVeR: Certificate Revocation and Validation Service, http://www.certiver.com
Luna, J., Manso, O., Medina, M.: Towards a unified authentication and authorization infrastructure for grid services: Implementing an enhanced OCSP service provider into GT4. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 36–54. Springer, Heidelberg (2005), http://sec.cs.kent.ac.uk/europki2005/
Chapter Google Scholar
OGRO - The Open GRid Ocsp client API, http://grid-globus.certiver.com/info/ogro
von Laszewski, G., Foster, I., Gawor, J., Lane, P.: A Java Commodity Grid Kit. Concurrency and Computation: Practice and Experience 13(8-9), 643–662 (2001), http://www.cogkit.org/
Article MATH Google Scholar
Vollbrecht, J., et al.: RFC 2904: AAA Authorization Framework (August 2000)
Google Scholar
Pearlman, L., et al.: A Community Authorization Service for Group Collaboration. In: IEEE 3rd International Workshop on Policies for Distributed Systems and Networks (2002)
Google Scholar
Alfieri, R., et al.: VOMS, an Authorization System for Virtual Organizations. Presented at the 1st European Across Grids Conference, Santiago de Compostela, Spain (February 2003), http://infnforge.cnaf.infn.it/voms/VOMS-Santiago.pdf
Lorch, M., Kafura, D.: The PRIMA Grid Authorization System. Journal of Grid Computing 2, 279–298 (2004)
Article MATH Google Scholar
The OpenSSL software, http://www.openssl.org
Welch, V., et al.: An online credential repository for the Grid: MyProxy. In: 10th IEEE International Symposium on High Performance Distributed Computing, San Francisco, CA. IEEE Computer Society Press, Los Alamitos (2001)
Google Scholar
Data Grid: Security for the RLS, http://edg-wp2.web.cern.ch
The Openvalidation service, http://www.openvalidation.org

Download references

Author information

Authors and Affiliations

Computer Architecture Department, Polytechnic University of Catalonia, Jordi Girona 1-3, 08034, Barcelona, Spain
Jesus Luna & Manel Medina
CertiVeR, Technical Director, Diputacion 238, Spain
Oscar Manso

Authors

Jesus Luna
View author publications
You can also search for this author in PubMed Google Scholar
Manel Medina
View author publications
You can also search for this author in PubMed Google Scholar
Oscar Manso
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, National Tsing Hua University, 30013, Hsinchu, Taiwan
Yeh-Ching Chung
IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA
José E. Moreira

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Luna, J., Medina, M., Manso, O. (2006). Using OGRO and CertiVeR to Improve OCSP Validation for Grids. In: Chung, YC., Moreira, J.E. (eds) Advances in Grid and Pervasive Computing. GPC 2006. Lecture Notes in Computer Science, vol 3947. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11745693_2

Download citation

DOI: https://doi.org/10.1007/11745693_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33809-3
Online ISBN: 978-3-540-33810-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics