Home -> Toolkit -> Docs -> 2.4 -> Gsi

Grid Security Infrastructure (GSI) v2: Frequently Asked Questions

1. Can we use Globus/Grid certificates for other purposes?
2. How do we add new trusted CAs in Globus software?
3. How is certificate revocation implemented in Globus?
4. What is Certificate Delegation?
5. How can Kerberos be integrated with certficate based authentication?
6. What new features are planned for GSI (Grid Security Infrastructure)?
7. How do I get a certificate for use with the Globus Toolkit?

Can we use Globus/Grid certificates for other purposes?

Use of a Globus certificate for other applications, such as e-mail and web is technically feasible. The other applications require the usage field to be defined as well as vendor specific fields. The easiest way to ensure the correct fields are generated is to use a browser such as Netscape or IE to create the multi-purpose certificate. The certificate can be transfered to the Globus directory using PKCS12 file format, which is known to be available on Netscape (IE has to be checked). The certificate can also be written to a smart card using either GRID or Netscape software. The Globus Project has demonstrated a smart card with a GSI certificate on the PCMCIA interface of a portable PC.

There are security considerations related to using a certificate for multiple purposes, however. Normally different certificates are issued for different purposes. Care should be given when considering whether to mix security credentials, even in the early stages of a project.

How do we add new trusted CAs in Globus software?

New CAs can be added to a client or server's file of trusted CAs, and then added to the certificate signing policy file. The certificate signing policy file defines who is allowed to sign a certificate. Adding new CAs to an existing Grid is admittedly a significant administrative overhead, so we do not recommend that it be done frequently.

Directions for doing so may be found here.

How is certificate revocation implemented in Globus?

Each CA has a CRL (Certificate Revocation List) in the trusted certificates directory. The CRL files need to be updated from master copies routinely. To be effective, a collaboration will need a common policy between CAs for updating CRLs, e.g. when a certificate has been compromised.

Note that any user with a valid certificate can be prevented from using any resource at any time simply by removing their entry in the resource's grid map file.

What is Certificate Delegation?

Globus has implemented Certificate Delegation, which allows a process, such as the Globus gatekeeper, to act on behalf of the client. The implementation is based on SSL and allows a client to delegate a proxy certificate to the gatekeeper server.

How can Kerberos be integrated with certficate based authentication?

PKINIT, which can generate a Kerberos TGT from a certificate, is being worked on in the IETF and the final solution will be implemented in the reference version of MIT Kerberos. This is expected to take about 1 year. W2000 has implemented an early version of this work. Pending availability of the final standard, Globus have implemented extensions to an MIT Kerberos KDC, called SSLCD-SSLK5. This allows a client to connect to gatekeeper with a delegated proxy certificate and then use globus services on that systems which are configured using Kerberos v5. This can avoid the need for separate Globus processes when Kerberos processes are already available.

The reverse capability of generating a Globus Proxy Certificate from a Kerberos v5 TGT is provided by the Globus K5cert software. The source code needs to be linked with the MIT Kerberos libraries, but does not require extensions to the KDC. This functionality can provide SSO for both a Kerberos v5 and Globus environment, provided the CA of the proxy certificate is trusted by other Globus sites.

On the topic of interoperability between W2000 and MIT Kerberos, it should be possible for W2000 clients to authenticate to MIT Kerberos, acquire a TGT and then a service ticket for Active Directory which gives the SID authorization data, necessary for W2000.

What new features are planned for GSI (Grid Security Infrastructure)?

An X.509 certificate repository is planned to overcome the problem of travelling users who may not have their certificates locally available, for example at conferences, cybercafes, or other remote sites. Code for this, called myproxy, is nearing completion. Clients can submit proxy certifiates to the repository for a pre-specified time period. The certificate (and private key) can be retrieved via a SSL portal. The myproxy code is being developed by the portal group of the Globus team.

In addition, the idea of restricted delegation is being developed. It is expected that people will have many certificates to be used for different tasks or at different sites. Depending on the activity, a user can delegate the use of an appropriate certificate to a server. This combines nicely with certificate repositories, where you may only want a restricted set of capabilities, for example, e-mail, to be available during your travels, leaving your other certificates safely at home.

How do I get a certificate for use with the Globus Toolkit?

Please follow the directions on the Acquiring Certificates for Use with the GSI webpage.