Difference between revisions of "User Security"
Linopagano (Talk | contribs) (→Acquiring a Digital Certificate) |
Linopagano (Talk | contribs) (→Acquiring a Digital Certificate) |
||
Line 15: | Line 15: | ||
After receiving this ID, the user can compile his personal data for CA. The ID verifies them. Then user's browser will ask him for a password: this password is used for encrypting the private key before saving it locally. | After receiving this ID, the user can compile his personal data for CA. The ID verifies them. Then user's browser will ask him for a password: this password is used for encrypting the private key before saving it locally. | ||
− | The browser | + | The browser generates the couple of private-public key and sends the public key to the CA to be signed. Typically in a day the user receives an email from CA with an URL. |
− | + | To complete the procedure, the user connects with that URL. For this, s/he must use the same browser and the same machine as used to generate the couple private-public key. The browser installs the certificate (i.e. the public key signed by CA), and the user is requested to enter the password to access to the private key. | |
− | At this point the certificate plus | + | At this point the certificate plus the private key are saved and encrypted on the configuration files of the user's web browser. |
This certificate can be exported on your filesystem as backup. | This certificate can be exported on your filesystem as backup. |
Revision as of 18:26, 4 December 2007
Security Basics
Basics of User Security. Digital Certificates, CAs etc. Authorization and Authentication procedures
The DILIGENT Security model uses Public Key Infrastructure (PKI) mechanisms to authenticate identities acting in the infrastructure.
Each authenticated invocation must be performed using valid credentials issued by a trusted Certification Authority (CA).
Acquiring a Digital Certificate
The standard procedure for acquiring a Digital Certificate from the appropriate accredited Certification Authority is based on a certain number of steps.
First of all users has to request a CA certificate and to install it on his browser. CA policy requests that in your institute a Registration Authority (RA) is defined. A Registration Authority is a person responsible to identify user for CA.
Second needed step is requesting a local Registration Authority for a digital certificate. The Registration Authority will start a simple procedure and will give an ID to the user. After receiving this ID, the user can compile his personal data for CA. The ID verifies them. Then user's browser will ask him for a password: this password is used for encrypting the private key before saving it locally.
The browser generates the couple of private-public key and sends the public key to the CA to be signed. Typically in a day the user receives an email from CA with an URL.
To complete the procedure, the user connects with that URL. For this, s/he must use the same browser and the same machine as used to generate the couple private-public key. The browser installs the certificate (i.e. the public key signed by CA), and the user is requested to enter the password to access to the private key. At this point the certificate plus the private key are saved and encrypted on the configuration files of the user's web browser.
This certificate can be exported on your filesystem as backup.
Accessing a Community Portal
DILIGENT infrastructure is able to provide credentials to user without a personal certificate. These credentials are generated in a transparently way for the user through the DILIGENT Portal.
In particular DILIGENT portal login phase is subdivided in two main steps:
- Insert User Name and Password
- Specify the "Digital Library to Load".
This second choice will affect the available credentials for the user during the session.
In fact choosing a Digital Library, the user inherits all the privileges he has in terms of group membership and roles in DILIGENT VOMS.