Abstract
Authentication and authorization in many distributed systems rely on the use of cryptographic credentials that in most of the cases have a defined lifetime. This feature mandates the use of mechanisms able to determine whether a particular credential can be trusted at a given moment. This process is commonly named validation. Among available validation mechanisms, the Online Certificate Status Protocol (OCSP) stands out due to its ability to carry near real time certificate status information. Despite its importance for security, OCSP faces considerable challenges in the computational Grid (i.e. Proxy Certificate’s validation) that are being studied at the Global Grid Forum’s CA Operations Work Group (CAOPS-WG). As members of this group, we have implemented an OCSP validation infrastructure for the Globus Toolkit 4, composed of the CertiVeR Validation Service and our Open GRid Ocsp (OGRO) client library, which introduced the Grid Validation Policy. This paper summarizes our experiences on that work and the results obtained up to now. Furthermore we introduce the prevalidation concept, a mechanism analogous to the Authorization Push-Model, capable of improving OCSP validation performance in Grids. This paper also reports the results obtained with OGRO’s prevalidation rules for Grid Services as a proof of concept.
Similar content being viewed by others
References
Alfieri R, et al (2004) VOMS: an authorization system for virtual organizations. In: 1st European across grids conference, ISBN 978-3-540-21048-1. LNCS, vol 2970. Springer, New York, pp 33–40
Ascertia’s OCSP Client Tool (2006) http://www.ascertia.com/products/ocsptool/
CertiVeR: Certificate Revocation and Validation Service (2006) http://www.certiver.com
Housley R, et al (2002) Internet X.509 public key infrastructure, certificate and certificate revocation list (CRL) profile. Request for Comments 3280. RSA Laboratories, USA, April 2002
Myers M, et al (1999) X.509 Internet public key infrastructure, online certificate status protocol (OCSP). Request for comments 2560. VeriSign, USA, June 1999
Lorch M, Kafura D (2003) The PRIMA grid authorization system. In: 4th International workshop on grid computing. IEEE Computer Society Press, Los Alamitos
Luna J, Manso O, Medina M (2005) Towards a unified authentication and authorization infrastructure for Grid services: implementing an enhanced OCSP Service Provider into GT4. In: Chadwick D, Zhao G (eds) Proceedings of 2nd EuroPKI 2005 workshop, ISBN 978-3-540-28062-0. LNCS, vol 3545. Springer, New York, pp 36–54
Luna J, et al (2006) OCSP Requirements for Grids. https://forge.gridforum.org/sf/go/doc4852?nav=1
OGRO: The Open GRid Ocsp client API (2006) http://grid-globus.certiver.com/info/ogro
Pearlman L, et al (2002) A community authorization service for group collaboration. In: IEEE 3rd international workshop on policies for distributed systems and networks. IEEE Computer Society Press, Los Alamitos
Public Key Infrastructure (PKI) Enhancements for J2SE 5 (2006) http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.htmlSun JCE
The Globus Toolkit 4 (2006) http://www.globus.org
The IAIK Java Cryptography Extensions (2006) http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/jca_jce
The Legion of Bouncy Castle (2006) http://www.bouncycastle.org/
The OpenSSL software (2006) http://www.openssl.org
The Openvalidation service (2006) http://www.openvalidation.org
Tuecke S, et al (2004) Internet X.509 Public Key Infrastructure, Proxy Certificate Profile. Request for Comments 3820
Von Laszewski G, et al (2001) A Java Commodity Grid Kit. Concurr Comput Pract Exp 13(8–9):643–662
Vollbrecht J, et al (2000) AAA authorization framework. Request for comments 2904. InterLink Networks, USA
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Luna, J., Medina, M. & Manso, O. Using OGRO and CertiVeR to improve OCSP validation for Grids. J Supercomput 42, 253–266 (2007). https://doi.org/10.1007/s11227-007-0120-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-007-0120-x