Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Fedcloud-tf:WorkGroups:Federated AAI:per-user sub-proxy

From EGIWiki
Revision as of 10:51, 11 February 2015 by Paul (talk | contribs) (Created page with "= The per-user sub-proxy = The purpose of a per-user sub-proxy is to allow a robot certificate to identify that it is operating on behalf of some specific user.  This is ac...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The per-user sub-proxy

The purpose of a per-user sub-proxy is to allow a robot certificate to identify that it is operating on behalf of some specific user.  This is achieved by creating a proxy certificate such that:

  • The same user of the portal will always have the same DN
  • All other users will have a different DN

The End-Entity Certificate (EEC) is the certificate issued by the CA. 

For the per-user sub-proxy certificate to be valid, the following conditions must hold:

  • The EEC must be a robot certificate
  • There must be exactly one per-user sub-proxy certificate
  • The per-user sub-proxy certificate must be the first proxy after the EEC.

If these conditions are not satisfied then software must process requests as if the EEC issued the request.

The robot credential used to issue per-user sub-proxy credentials must not be used for any other purpose.

Software must verify the complete chain [all proxies; EEC and CA(s)]

User identity and VO information

Membership of Virtual Organisations (VO) is handled by acquiring an Attribute Certificate (AC) from a VO-membership service.  For EGI FedCloud, this is the Perun service.  The AC is issued for a specific DN.  The AC is embedded within a proxy certificate to form a voms proxy certificate.

Currently, the robot is a member of a VO.  Any per-user sub-proxy is then automatically a member of that VO.  This means that the portal must have some way (outside of Perun) of discovering whether or not a user is a member of a VO.