RCAuth and private keys over the wire

(Baptiste Grenier) #1

@msalle, @andrei asked me about the policy conformity of sending a private key over HTTPS when using rcauth. Is there some documentation about this, confirming that it’s fine sending a private key over HTTPS? I understood that in the past it’s something that was seen as problematic.

DIRAC job submission - missing bits
(Mischa Salle) #2

Hi @baptiste @andrei, For proxies there isn’t really much policy. For end-entity-cert private keys, see IGTF Private Key protection guidelines. Note that in the case of RCauth, the MasterPortal does a full ‘delegation’ with the RCauth CA (which means no private key over the line), while towards the VO Portals a complete but short-lived proxy is returned without a delegation step, so including private key. Both are done of HTTPS, where the client is authenticating using its OIDC client credentials (i.e. effectively mutually authenticated).

1 Like