DutchGrid Certification Authority User InformationThis user information page is directed to users or administrators of Globus and Grid services in the Netherlands. In order to use the Grid in a secure fashion, a mutual trust relationship needs to be established between Grid service providers (machines or services like the Gatekeeper or the FTP daemon) and Grid users (individuals that need to access these resources). Such a mutual trust relation is created using transport-level security (like SSL) based on asymmetric public-private key cryptography. You might recognise this concept from so-called "secure web sites", frequently used to secure the exchange of sensitive information like credit-card details.
The identity (authentication) of services and users is based on "certificates": files that contain both the public key of the users keypair, details about the identity (like name and affiliation), and administrative information like expiry date and purpose. This information is bound together and digitally signed by a trusted third-party, the "Certification Authority". Examples of well-known commercial CA's are Verisign and Thwarte. NIKHEF operates such a CA as a courtesy service for DutchGrid as part of DataGrid WP6 (testbed).
Within this Public Key Infrastructure (PKI), the Certification Authority (CA) plays a pivotal role. It is the final authority, recognised by all subscribers and relying parties a making a well-informed and correct assessment on whether the public key belongs to the entity named in the certificate. For example, if Mr. John Foo Bar generates a key pair and submits it for signing by a CA, his eventual signed certificate will testify that the private key pertaining to this key pair is in the posession of someone named "John Foo Bar" and that he and only he can be the one behind any electronic actions signed with the associated private key.
The CAs operated for DutchGrid are a "medium-security" CA and a
"worthless Demo CA". The medium-seucirty implies
that it will do all reasonable checks to assert the requestors
identity (e.g., by phone, by personal visit or by checking a passport
or drivers license with photograph). It will also check the affiliation
of both users and server entities. The CA is physically secured in
a locked room, not connected to any kind of network, etc.
On the other hand, "medium-security" in this case implies that
the CA can be operated by one person, and that no external (expensive)
auditing is done. Also, use of the certificates by subscribers or relying
parties for financial purposes is not permitted.
In order to facilitate the identity checks, the DutchGrid CA has delegated part of the verification process to "Registration Authorities" (RA). In case a RA has been assigned to your institute, please refer your requests to the RA. See below for a list of RAs.
Requests for certification have to be sent by electronic mail
to your DutchGrid Registration Authority or the DutchGrid CA.
Preferably, such a mail is generated using the "Build-a Request"
form on the web:
Build-a-Request Web Interface (or unsecured here).
You can use this interface regardless of whether you have the Globus Toolkit
installed or not. And, besides personal identity certificates,
you can also request "service" and "host" certs.
After completing the on-line forms, you will download a 'shell script'
or an 'MS-DOS batch command file', that will create a cryptographic
key pair for you. Part of this key pair will be embedded in your
certificate, the other part you must keep private.
Both parts of the key pair will end up in two separate files in your
$HOME/.globus/ directory. For the medium-security production CA, and
on Unix or Linux systems only, an electronic mail will automatically
be sent to the CA for processing. In all other cases, mail the
file "usercert_request.pem" (but never the "userkey.pem" file!) to
the DutchGrid CA, and specify the following additional information:
You can request rekeying of your Medium-security DutchGrid certifation by signed electronic mail, if and only if your last full application is not older than three (3) years, and your last application included your personal details and registration of your photoID. This e-mail must contain a new certificate request, with the same subject name as the previous certificate but with a new key pair. Renewing your certification using the old key pair is not possible under the medium-security policy. The e-mail must be digitally signed by your "old" private key and be in the S/MIME format. To facilitate the generation of this signed e-mail, you can use the renewcert-dutchgrid.sh shell script. This script requires the presence of an OpenSSL executable for your platform, and a basic set of file utilities (sed, rm, date, hostname, a Bourne shell compatible sh and a SysV compatible echo).
Once you have sent this e-mail, contact your Registration Authority for confirmation.
PS: DutchDemo certificates are not elegible for rekeying.
Registration Authorities mediate your request and perform part of
the identity verification process. Please refer to the RA assigned
to your site. If you do not have an RA yet, you can contact the DutchGrid CA
operator directly, but be prepared to identify yourself in person
with a passport of drivers license.