Using OGRO and CertiVeR to Improve OCSP Validation for Grids

  • Jesus Luna
  • Manel Medina
  • Oscar Manso
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3947)


Authentication and authorization in many distributed systems rely on the use of cryptographic credentials that in most of the cases have a defined lifetime. This feature mandates the use of mechanisms able to determine whether a particular credential can be trusted at a given moment. This process is commonly named validation. Among available validation mechanisms, the Online Certificate Status Protocol (OCSP) stands out due to its ability to carry near real time certificate status information. Despite its importance for security, OCSP faces considerable challenges in the computational Grid (i.e. Proxy Certificate’s validation) that are being studied at the Global Grid Forum’s CA Operations Work Group (CAOPS-WG). As members of this group, we have implemented an OCSP validation infrastructure for the Globus Toolkit 4, composed of the CertiVeR Validation Service and our Open GRid Ocsp (OGRO) client library, which introduced the Grid Validation Policy. This paper summarizes our experiences on that work and the results obtained up to now. Furthermore we introduce the pre-validation concept, a mechanism analogous to the Authorization Push-Model, capable of improving OCSP validation performance in Grids. This paper also reports the results obtained with OGRO’s pre-validation rules for Grid Services as a proof of concept.


Grid Service Open GRid Globus Toolkit Proxy Certificate Online Certificate Status Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Housley, R., et al.: RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (April 2002)Google Scholar
  2. 2.
    Myers, M., et al.: RFC 2560: X.509 Internet Public Key Infrastructure, Online Certificate Status Protocol – OCSP (June 1999)Google Scholar
  3. 3.
    The Globus Toolkit 4,
  4. 4.
    Tuecke, S., et al.: RFC 3820: Internet X.509 Public Key Infrastructure (PKI), Proxy Certificate Profile (June 2004)Google Scholar
  5. 5.
    OCSP Requirements for Grids. Global Grid Forum, CA Operations Work Group. Working Document (May 2005),
  6. 6.
    CertiVeR: Certificate Revocation and Validation Service,
  7. 7.
    Luna, J., Manso, O., Medina, M.: Towards a unified authentication and authorization infrastructure for grid services: Implementing an enhanced OCSP service provider into GT4. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 36–54. Springer, Heidelberg (2005), CrossRefGoogle Scholar
  8. 8.
    OGRO - The Open GRid Ocsp client API,
  9. 9.
    von Laszewski, G., Foster, I., Gawor, J., Lane, P.: A Java Commodity Grid Kit. Concurrency and Computation: Practice and Experience 13(8-9), 643–662 (2001), CrossRefzbMATHGoogle Scholar
  10. 10.
    Vollbrecht, J., et al.: RFC 2904: AAA Authorization Framework (August 2000)Google Scholar
  11. 11.
    Pearlman, L., et al.: A Community Authorization Service for Group Collaboration. In: IEEE 3rd International Workshop on Policies for Distributed Systems and Networks (2002)Google Scholar
  12. 12.
    Alfieri, R., et al.: VOMS, an Authorization System for Virtual Organizations. Presented at the 1st European Across Grids Conference, Santiago de Compostela, Spain (February 2003),
  13. 13.
    Lorch, M., Kafura, D.: The PRIMA Grid Authorization System. Journal of Grid Computing 2, 279–298 (2004)CrossRefzbMATHGoogle Scholar
  14. 14.
    The OpenSSL software,
  15. 15.
    Welch, V., et al.: An online credential repository for the Grid: MyProxy. In: 10th IEEE International Symposium on High Performance Distributed Computing, San Francisco, CA. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  16. 16.
    Data Grid: Security for the RLS,
  17. 17.
    The Openvalidation service,

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jesus Luna
    • 1
  • Manel Medina
    • 1
  • Oscar Manso
    • 2
  1. 1.Computer Architecture DepartmentPolytechnic University of CataloniaBarcelonaSpain
  2. 2.CertiVeR, Technical DirectorSpain

Personalised recommendations