Tuesday, June 11, 2013

Introduction to the CILogon Basic CA

CILogon Basic CA is a service that allows students at Universities with existing single sign-on systems to use their campus credentials to get a certificate issued by the CILogon Basic CA instantly. This certificate is only issued if the campus single sign-on system verifies the users credentials.

If you manage an OSG VO and your University is already on the list of sites on the CILogon Basic CA web page, http://cilogon.org/osg, then you can have your VO members get CILogon Basic CA certificates now. Note that in addition to getting a certificate, it will also have to be registered with your VO's VOMS service. This provides an additional security check on all certificate registrations.

If you run an OSG site, the OSG Security Team is looking for sites willing to accept CILogon Basic CA certificates from users for access to your resources. In most cases this involves just installing the cilogon-ca-certs rpm.

The downside to the CILogon Basic CA for some people is that there is one provider, protect.net, which will let anyone with a valid email address request an account.

This is not a problem for grid services, since in addition to a valid certificate, a grid user will need a DN mapping entry in their VO's VOMS server or gridmap files before they can access any grid resources. If, however, other services such as web pages are restricted to any valid client certificate, then those permissions might want to be revisited with CILogon Basic CA certificates installed, as they will more than likely include more than just research related individuals.