The ultimate goal of the GTS is to provide a framework for provisioning trusted certificate authorities to both clients and services in a Web/Grid service environments. This removes the complexity of distributing trusted ceritficate authorities and CRLS to client and services, allowing them to confidently know which certificate authorities to trust when deciding whether or not to accept credentials, assertions, and other digitally signed documents. In order to accomplish this the GTS must maintain a list of certificate authorities that are trusted, we refer to these certificate authorities as Trusted Certificate Authorities. For each certificate authority the GTS maintains the following information:
Certificate - The Certificate Authority's certificate which correspond to the private key that the certificate authority uses for signing certificates. The certificate is needed for validating the signatures of the certificate authority.
Certificate Revocation List (CRL) - A list of certificates issued by the certificate authority that have been revoked. Traditionally distributing CRLS has been a challenging problem, especially in Web/Grid service environments. The GTS solves this problem by maintaining and distributing CRLS for certificate authorities.
Levels of Assurance - Each certificate authority can be assigned many Level(s) of Assurance. A Level of Assurance specifies a level of confidence in a given certificate authority. For example the federal e-authentication guidelines specify four levels of assurance, if adopting these guidelines, certificate authorities can be associated with the levels of assurance that they comply to. When provisioning certificate authorities, the GTS will only provision certificate authorities that meet the level of assurance requirements for a given client or service.
Status - Specifies the current status of the certificate authority. A certificate authority can either have a status of Trusted or Suspended. The status allows GTS administrators to temporarily suspend a certificate authority without having to remove it. This is useful in being able to isolate certificate authorities while investigating security breaches.
Federation Metadata - For redundancy, scalability, and extensibility reasons GTS(s) can be grouped together to form a federated trust fabric. The GTS maintains federation metadata for each certificate authority. This information includes which GTS is the authority for the certificate authority and which GTS was the source of the certificate authority.
The GTS provides a tool called SyncGTS which enables clients and services to sync their local trust store with the certificate authorities trusted by the GTS. SyncGTS allows clients and services to specify criteria (levels of assurance etc.) which will limit which certificate authorities are included in their local trust store.
Managing Certificate Authorities
The GAARDS UI allows GTS administrators to search for certificate authorities trusted by the GTS. The GTS supports searching for certificate authorities using the following search criteria:
Search Criteria
Description
Trusted Authority Name
The distinguished name or subject of the certificate authority.
Level of Assurance
Certificate authorities that are associated with the level of assurance selected.
Status
The Status of the certificate authority, Trusted or Suspended.
Lifetime
Whether (Valid) or not (Expired) the certificate authority entry in the GTS is still valid.
Is Authority
Whether (true) or not (false) the GTS selected is the authority of the certifcate authority.
Authority GTS
Certificate authorities whose authority is the selected GTS.
Source GTS
Certificate authorities whose source is the selected GTS.
To search for ceritifcate authorities trusted by the GTS or that are part of the trust fabric, please complete the following directions:
From the Trust Fabric menu, select Certificate Authorities, this will launch the Certificate Authorities Window.
From the Service drop down select the GTS you wish to search.
Enter the desired search criteria.
Click the Search button.
After the search has completed, the certificate authorities meeting your search criteria will be listed in the table below the Search button. You can view the details of an individual certificate authority by selecting the certificate authority you wish to view and by clicking the View button. This will launch Trusted Authority Window for the certificate authority you requested. The details for the certificate authority are provided in four tabs: (1) Properties, (2) Level of Assurance, (3) Certificate, (4) Certificate Revocation List. Below we will describe the details contained in each tab.
Certificate Authorities
Properties
The Properties tab contains the information shown in the table below:
Property
Description
Trusted Authority Name
The distinguished name or subject of the certificate authority.
Status
The Status of the certificate authority, Trusted or Suspended.
Authority GTS
The GTS that is the authority for this certificate authority.
Source GTS
The GTS that is the source for this certificate authority.
Expires
Specifies when the record for this certificate authority expires. Certificate authorities that are inherited from Authority GTS(s) expire unless they are renewed by the Authority GTS. See trust federation for more information.
Last Updated
The date this certificate authority record was last updated.
The Status property is the only property in the above table that can be updated by GTS administrators. To update the status, select the desired status and click the Update button.
A certificate authority can only be updated if the GTS is its authority.
Levels of Assurance
The Level of Assurance tab lists all the level(s) of assurance registered with the GTS. Each level of assurance contains a check box, if checked the CA is that level of assurance. The Level(s) of assurance for a certificate authority can be updated by selecting or deselecting individual level(s) of assurance and by clicking the Update button.
A certificate authority can only be updated if the GTS is its authority.
Certificate
The Certificate tab contains the certificate authority's certificate. This certificate corresponds to the private key that the certificate authority uses for signing certificates that is issues.
Certificate Revocation List
The Certificate Revocations List tab contains the certificate authority's CRL which contains the list off all certificates issued by the certificate authority that have been revoked. The CRL is distributed to clients and services with the certificate authority's certificate, both are used for authenticating clients. The GTS allows GTS administrators and parties granted special access (seeAccess Control ) to publish the CRL for a certificate authority. The CRL can be published through the GTS's grid service interface, certificate authorities such as Dorian take advantage of this. In addition a certificate authority's CRL can be published using the GAARDS UI. This can be done by as follows:
Click the Import CRL button, this will lauch a file browser window.
Browse to the CRL for the certificate authority, select it, and click the Open button. This will load the CRL into the Certificate Revocations List tab.
Click the Update button.
A certificate authority can only be updated if the GTS is its authority.
CA Properties
CA Levels of Assurance
CA Certificate
CA CRL
Add Certificate Authority
The GAARDS UI provides a method of adding certificate authorities to the GTS as trusted certificate authorities. To add a certificate authority to the GTS you will need to provide the CA's certificate. The CA's certificate is required for authentication and verifying the CA's signature. In addition you need to select which Level(s) of Assurance the CA complies with. To add a certificate authority to the GTS using the GAARDS UI, please complete the following steps:
From the Trust Fabric menu, select Certificate Authorities, this will launch the Certificate Authorities Window.
From the Service drop down select the GTS you wish to add a certificate authority to.
Click the Add button, this will launch Add Certificate Authority Window.
Select the Certifcate tab.
Click the Import Certificate button, this will launch a file browser.
Browse to the CA certificate for the certificate authority you are adding, and click the Open button. This will load the certificate into the UI.
Select the Level of Assurance tab.
Select the Level(s) of Assurance that the certificate authority complies with.
Click the Add button, this will add the certificate authority to the GTS as a trusted certificate authority.
Add Certificate Authority
Removing a Certificate Authority
The GAARDS UI enables GTS administrators to remove trusted certificate authorities. A certificate authority can only be removed if the GTS is the authority for it. Once a certificate authority is removed it will no longer be federated to other GTS(s). In addition it will be removed from the trust stores of clients and service next time they sync. To remove a certificate authority from the GTS please complete the following steps:
Administration
specify four levels of assurance, if adopting these guidelines, certificate authorities can be associated with the levels of assurance that they comply to. When provisioning certificate authorities, the GTS will only provision certificate authorities that meet the level of assurance requirements for a given client or service.
