Pfad/Path D-Grid gGmbH / Projects / Gap Projects / GapSLC / 


Use of short-lived certificates in portal-based Grids

Powerful Grid environments for different communities were developed and implemented in the previous projects of the D-Grid Initiative. In order to bring more users into the Grid, however, the entry threshold must be as low as possible. One aspect of this is a security infrastructure that is also attractive to groups of users who have only limited experience with the use of personal certificates.

The Gap Project is rising to this challenge and will develop solutions that facilitate access to the Grid for users with limited technical expertise. Building on the experiences of the participating community Grids C3Grid, MediGRID and TextGrid, solutions will be developed that both respond to the specific requirements of the users, and that are at the same time generic enough to be used by other communities as well.

Correspondingly, the following use cases have been chosen for development:

Use Case A:
Users without a personal certificate, who use a Short-Lived Credential Service (SLCS)

After logging into the portal, authentication proceeds within the framework of the DFN-AAI federation by means of Shibboleth using the user's home identity provider, after which short-lived certificates are to be used. In order to fine-tune authorisation on the part of resource providers, SAML (Secure Assertion Markup Language) assertions will be used, which will also contain VO (Virtual Organisation) management information.

Use Case B:
Users with personal certificates

The authentication process will be simplified for those users with a personal certificate who generally do not access a Grid computer directly, but rather authenticate via a portal or through web-based software. In addition to EUGridPMA-conformant certificates, other circumstances will be considered (e.g. medical profession certificates from the health system or certificates from industry). These users should be able to use these certificates in the Grid if the issuing certification authority (CA) has a sufficiently high security level and the resource provider in question accepts certificates of this sort.

Use Case C:
Users who want to use certain applications in the Grid on an ad-hoc and quasi-anonymous basis

Individual authentication of users is not necessarily required or desirable for certain application scenarios in the Grid. Examples include access to validated climate data for the interested public, some applications drawn from bioinformatics, and access to published texts. These applications have the potential to bring other groups of users to the grid. For this reason, a procedure that responds in particular to organisational and legal concerns is being developed for these cases.

The requirements of C3-Grid, MediGRID / Services@MediGRID, TextGrid, PartnerGrid, DGI and BIS-Grid have been incorporated in project planning. The Gap-SLC project, however, is open for cooperation with other projects and will host a workshop after the project has begun in order to gather information about the needs of other communities.