Skip to main content
SpringerLink
Log in

Using OGRO and CertiVeR to improve OCSP validation for Grids

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Authentication and authorization in many distributed systems rely on the use of cryptographic credentials that in most of the cases have a defined lifetime. This feature mandates the use of mechanisms able to determine whether a particular credential can be trusted at a given moment. This process is commonly named validation. Among available validation mechanisms, the Online Certificate Status Protocol (OCSP) stands out due to its ability to carry near real time certificate status information. Despite its importance for security, OCSP faces considerable challenges in the computational Grid (i.e. Proxy Certificate’s validation) that are being studied at the Global Grid Forum’s CA Operations Work Group (CAOPS-WG). As members of this group, we have implemented an OCSP validation infrastructure for the Globus Toolkit 4, composed of the CertiVeR Validation Service and our Open GRid Ocsp (OGRO) client library, which introduced the Grid Validation Policy. This paper summarizes our experiences on that work and the results obtained up to now. Furthermore we introduce the prevalidation concept, a mechanism analogous to the Authorization Push-Model, capable of improving OCSP validation performance in Grids. This paper also reports the results obtained with OGRO’s prevalidation rules for Grid Services as a proof of concept.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alfieri R, et al (2004) VOMS: an authorization system for virtual organizations. In: 1st European across grids conference, ISBN 978-3-540-21048-1. LNCS, vol 2970. Springer, New York, pp 33–40

    Google Scholar 

  2. Ascertia’s OCSP Client Tool (2006) http://www.ascertia.com/products/ocsptool/

  3. CertiVeR: Certificate Revocation and Validation Service (2006) http://www.certiver.com

  4. Housley R, et al (2002) Internet X.509 public key infrastructure, certificate and certificate revocation list (CRL) profile. Request for Comments 3280. RSA Laboratories, USA, April 2002

  5. Myers M, et al (1999) X.509 Internet public key infrastructure, online certificate status protocol (OCSP). Request for comments 2560. VeriSign, USA, June 1999

  6. Lorch M, Kafura D (2003) The PRIMA grid authorization system. In: 4th International workshop on grid computing. IEEE Computer Society Press, Los Alamitos

    Google Scholar 

  7. Luna J, Manso O, Medina M (2005) Towards a unified authentication and authorization infrastructure for Grid services: implementing an enhanced OCSP Service Provider into GT4. In: Chadwick D, Zhao G (eds) Proceedings of 2nd EuroPKI 2005 workshop, ISBN 978-3-540-28062-0. LNCS, vol 3545. Springer, New York, pp 36–54

    Google Scholar 

  8. Luna J, et al (2006) OCSP Requirements for Grids. https://forge.gridforum.org/sf/go/doc4852?nav=1

  9. OGRO: The Open GRid Ocsp client API (2006) http://grid-globus.certiver.com/info/ogro

  10. Pearlman L, et al (2002) A community authorization service for group collaboration. In: IEEE 3rd international workshop on policies for distributed systems and networks. IEEE Computer Society Press, Los Alamitos

    Google Scholar 

  11. Public Key Infrastructure (PKI) Enhancements for J2SE 5 (2006) http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.htmlSun JCE

  12. The Globus Toolkit 4 (2006) http://www.globus.org

  13. The IAIK Java Cryptography Extensions (2006) http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/jca_jce

  14. The Legion of Bouncy Castle (2006) http://www.bouncycastle.org/

  15. The OpenSSL software (2006) http://www.openssl.org

  16. The Openvalidation service (2006) http://www.openvalidation.org

  17. Tuecke S, et al (2004) Internet X.509 Public Key Infrastructure, Proxy Certificate Profile. Request for Comments 3820

  18. Von Laszewski G, et al (2001) A Java Commodity Grid Kit. Concurr Comput Pract Exp 13(8–9):643–662

    Google Scholar 

  19. Vollbrecht J, et al (2000) AAA authorization framework. Request for comments 2904. InterLink Networks, USA

Download references

Author information

Authors and Affiliations

  1. Computer Architecture Department, Polytechnic University of Catalonia, Jordi Girona 1-3, 08034, Barcelona, Spain

    Jesus Luna & Manel Medina

  2. CertiVeR, Diputacion 238, 08007, Barcelona, Spain

    Oscar Manso

Authors
  1. Jesus Luna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manel Medina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oscar Manso
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jesus Luna.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Luna, J., Medina, M. & Manso, O. Using OGRO and CertiVeR to improve OCSP validation for Grids. J Supercomput 42, 253–266 (2007). https://doi.org/10.1007/s11227-007-0120-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-007-0120-x

Keywords

Search

Navigation