Signing Policy
From Globus
Contents |
Purpose
The purpose of this document is to outline the signing policy support in the Globus Toolkit.
BNF Grammar
eacl ::= {eacl_entry}
eacl_entry ::= {access_identity} pos_rights {restriction}
{pos_rights {restriction}} | {access_identity} neg_rights
access_identity ::= access_identity_type def_authority value \n
access_identity_type ::= "access_id_HOST" |
"access_id_USER" |
"access_id_GROUP" |
"access_id_CA" |
"access_id_APPLICATION" |
"access_id_ANYBODY"
pos_rights ::= "pos_rights" def_authority value
{"pos_rights" def_authority value}
neg_rights ::= "neg_rights" def_authority value
{"neg_rights" def_authority value}
restriction ::= condition_type def_authority value \n
condition_type ::= alphanumeric_string
def_authority ::= alphanumeric_string
value ::= alphanumeric_string
CoG JGlobus Support
Subset of policy enforced
- Signing policy that is processed
- access_id_CA with defining authority as X509 with CA's DN as value.
- Any positive rights following it with globus as defining authority and value CA:sign.
- Restriction cond_subjects with globus as defining authority and the subject DNs the CA is authorized to sign
- Subject names may include the following wildcard characters:
- Asterisk(*) Matches zero or any number of characters.
- Question Mark(?) Matches any single character.
- General policy grammmar
- Restrictions are assumed to start with cond_.
- Order of rights matter, so the first occurance of CA:Sign with allowedDNs is used and rest of the policy is ignored.
Signing policy file processing
- For a given signing policy file, only policy with the particular CA's DN is parsed.
- By default signing policy files are loaded from trusted certificates directory and are expected to have the following suffix: ".signing_policy".
Policy Enforcement
- In GT 4.0.x, by default, signing policy is not enforced and property is provided to enable it.
- In trunk and GT 4.2, signing policy is required and enforced.
