Duane Merrill wrote:
Yes, your certificate authority could sign ACs into PKCs.
This would be a reasonable strategy if, for example, your middleware had statically-assigned identities (and statically-associated attributes) and you wanted to call into resources operated by a (idealized) middleware that looks for VOMS-style proxy-certs. (Because the callee middleware knows how to process PC chains with embedded ACs, it also knows how to process your vanilla PKCs with embedded ACs.).
That's correct, but unfortunately the situation is a bit more complex. Certification Authorities release certificates without any VO membership attributes (at least, the INFN CA does not embed VO information). Furthermore, users can join (and leave) VOs at any time. Joining a VO is actually quite simple: usually each VO maintains a web page, where you authenticate with your X509 vertificate. You fill a form, and your request for membership is approved by the VO manager. Then, the VOMS server(s) are instructed to add the new VO membership information when you request a VOMS proxy with the voms-proxy-init command. This currently works quite well for gLite, and allows VO administrators to grand and revoke VO membership information without requesting users to ask for a new X509 certificate. This also allows Certification Authorities to be completely VO-agnostic (if a new VO is created, you don't need to tell the CAs to release attributes for the new VO as well). Moreno. -- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it Phone: +39 049 8277047 WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233