Evaluation of the GLOBUS authentication architecture

(With feedback from the GLOBUS developers)

Francesco Prelz - INFN Milano
Lyon, June 30th, 2000

What do we need ?

How does the Globus authentication architecture work ?

What we like.

 access_id_CA      X509         '/C=US/O=Globus/CN=Globus Certification Authority'

 pos_rights        globus        CA:sign

 cond_subjects     globus     '"/C=us/O=Globus/*" "/C=US/O=Globus/*"'

What we don't currently like:

  1. Granting local "identities" based only on certificate subjects allows the existance of multiple valid certificates for the same subject. Or: given that passwords are always "hotel keys", and never "car keys", in this case an innkeeper from another continent can enter your room disguised as your wife (or husband).

  2. The authentication library is based on OpenSSL, but it is not currently in sync with the OpenSSL development (it links against OpenSSL 0.9.1c at latest).

  3. The authentication library provides cryptic diagnostics (e.g. "certificate chain too long" when the CA policy check fails).

  4. A note from the INFN security experts: the model where generally valid (even if for a limited time only) private keys are available on remote hosts fits a world where all system administrators are honest and able to implement a seamless security model. As we pointed out, this could be less of a problem in our case.

Answers from the GLOBUS developers:

  1. Eventually the Certificate Revocation List check and policy, which is currently handled by the Globus GSS implementation, will be handled by the underlying OpenSSL. There will be the possibility even to fetch a fresh CRL on each certificate check. What we are more likely to use is a periodic update of the CRL.

  2. As of Globus v1.1.3 one should be able to link with the current OpenSSL, (but this isn't stated or written anywhere: we still have to test this).

  3. The diagnostic message structure is under review.

  4. A scheme for very fine-grained "limited" proxies is being developed. Currently the only limit that can be enforced prevents further certificate delegation by the GSS library.