HTCondor Project List Archives



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-devel] Has Condor considered NSS?



A restricted certificate is created, but not transferred.

Normally with Globus, it works like this:

1) User runs grid-proxy-init. A new certificate/key is created, and signed by your regular key. It usually expires more quickly (12 hours is the default), though users can control this. It is not protected by a password (so you don't have to type your password for every job submission and data transfer), but only by local Unix file permissions. Generally it's stored in /tmp (which shouldn't be a shared file system) with 600 permissions.

2) When you run your job, a new proxy certificate is delegated:

   - At the remote site, a new private key is created
   - At the remote site, a certificate request is created
   - The certificate request is sent back to the submitting side
   - A public certificate is created and signed by the proxy
     certificate.
   - This public certificate (no secrets!) is sent to the remote side
   - Again, this certificate/key has no password but is protected by
     Unix permissions.

So there are no secrets transferred.

If someone can access your proxy certificate files (root, an attacker) they can act as you until the proxy certificate expires. This is why the time is limited.

-alain

At 10:55 AM 8/22/2007 -0500, Matthew Farrellee wrote:
Will you explain the difference to me? I thought delegation means that a restricted certificate is created for the user (restricted in its expiration time), but that delegated certificate still has private bits. The delegated certificate (proxy cert?) is actually transferred via the X509_USER_PROXY attribute in job ads.


matt

Alain Roy wrote:
No, it's delegated, not transferred.
-alain
At 09:57 AM 8/22/2007 -0500, Matthew Farrellee wrote:
Unless I'm mistaken in situations like Condor-C/Condor-G a user's
certificate, or proxy certificate, will actually be transferred (it
contains private bits) between machines. I honestly hope I'm mistaken.


matt

Ian Alderman wrote:
> I'm not sure what you mean by passing certificates around: do you mean
> passing keys around?  I don't think Condor does that any more.
>
> I think Condor only uses certificates if the SSL or GSI authentication
> methods are employed.
>
> -Ian
>
> On Wed, Aug 22, 2007 at 08:22:26AM -0500, Matthew Farrellee wrote:
>> https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01594.html
>>
>> I can think of a few reasons why Condor might not be able to get FIPS
>> 140-2 certification, such as passing certificates around between
>> machines. Can anyone think of others or clarify how extensively
>> certificates are needed directly by Condor?
>>
>> Best,
>>
>>
>> matt
>> _______________________________________________
>> Condor-devel mailing list
>> Condor-devel@xxxxxxxxxxx
>> https://lists.cs.wisc.edu/mailman/listinfo/condor-devel
_______________________________________________
Condor-devel mailing list
Condor-devel@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-devel