€cdocutils.nodes document q)q}q(U nametypesq}q(Xself-signed certificatesqNX*authorization vs. authentication: a primerqNXx.509 authenticationqNXfaqq ˆXtrust relationshipsq NX+authorization and authentication in dataoneq NXhereq ˆX*regarding commercially-signed certificatesq NXmember node certificatesqNXdataone authenticationqNuUsubstitution_defsq}qUparse_messagesq]qUcurrent_sourceqNU decorationqNUautofootnote_startqKUnameidsq}q(hUself-signed-certificatesqhU(authorization-vs-authentication-a-primerqhUx-509-authenticationqh Ufaqqh Utrust-relationshipsqh U+authorization-and-authentication-in-dataoneqh Uhereqh U*regarding-commercially-signed-certificatesq hUmember-node-certificatesq!hUdataone-authenticationq"uUchildrenq#]q$cdocutils.nodes section q%)q&}q'(U rawsourceq(UUparentq)hUsourceq*Xz/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/AuthorizationAndAuthentication.txtq+Utagnameq,Usectionq-U attributesq.}q/(Udupnamesq0]Uclassesq1]Ubackrefsq2]Uidsq3]q4haUnamesq5]q6h auUlineq7KUdocumentq8hh#]q9(cdocutils.nodes title q:)q;}q<(h(X+Authorization and Authentication in DataONEq=h)h&h*h+h,Utitleq>h.}q?(h0]h1]h2]h3]h5]uh7Kh8hh#]q@cdocutils.nodes Text qAX+Authorization and Authentication in DataONEqB…qC}qD(h(h=h)h;ubaubh%)qE}qF(h(Uh)h&h*h+h,h-h.}qG(h0]h1]h2]h3]qHhah5]qIhauh7Kh8hh#]qJ(h:)qK}qL(h(X*Authorization vs. Authentication: A PrimerqMh)hEh*h+h,h>h.}qN(h0]h1]h2]h3]h5]uh7Kh8hh#]qOhAX*Authorization vs. Authentication: A PrimerqP…qQ}qR(h(hMh)hKubaubcdocutils.nodes paragraph qS)qT}qU(h(XkThe process of confirming whether a user has privileges to access a resource or use a service is called *authorization*. *Authentication,* on the other hand, is the process of determining whether or not a user is who they say they are. Both are required of a security architecture to ensure that the right people have the right access to resources and services.h)hEh*h+h,U paragraphqVh.}qW(h0]h1]h2]h3]h5]uh7Kh8hh#]qX(hAXhThe process of confirming whether a user has privileges to access a resource or use a service is called qY…qZ}q[(h(XhThe process of confirming whether a user has privileges to access a resource or use a service is called h)hTubcdocutils.nodes emphasis q\)q]}q^(h(X*authorization*h.}q_(h0]h1]h2]h3]h5]uh)hTh#]q`hAX authorizationqa…qb}qc(h(Uh)h]ubah,UemphasisqdubhAX. qe…qf}qg(h(X. h)hTubh\)qh}qi(h(X*Authentication,*h.}qj(h0]h1]h2]h3]h5]uh)hTh#]qkhAXAuthentication,ql…qm}qn(h(Uh)hhubah,hdubhAXà on the other hand, is the process of determining whether or not a user is who they say they are. Both are required of a security architecture to ensure that the right people have the right access to resources and services.qo…qp}qq(h(Xà on the other hand, is the process of determining whether or not a user is who they say they are. Both are required of a security architecture to ensure that the right people have the right access to resources and services.h)hTubeubhS)qr}qs(h(XiAuthorization is achieved through the association of usernames (Subjects) and permissions with the resources and services being secured. Typically, this is done using access control lists (ACL). When a request is made, the identity of the user is looked up in the ACL, and the appropriate action is taken based on the user's permissions. DataONE uses Subjects contained in a resource's SystemMetadata, as well as Subjects in the Authoritative Member Node's Node document as the ACL for the resource when making authorization decisions. The latter is used primarily for administrative actions and to secure services.qth)hEh*h+h,hVh.}qu(h0]h1]h2]h3]h5]uh7K h8hh#]qvhAXiAuthorization is achieved through the association of usernames (Subjects) and permissions with the resources and services being secured. Typically, this is done using access control lists (ACL). When a request is made, the identity of the user is looked up in the ACL, and the appropriate action is taken based on the user's permissions. DataONE uses Subjects contained in a resource's SystemMetadata, as well as Subjects in the Authoritative Member Node's Node document as the ACL for the resource when making authorization decisions. The latter is used primarily for administrative actions and to secure services.qw…qx}qy(h(hth)hrubaubhS)qz}q{(h(X¹In authentication, the user provides their username along with other information that gives assurances that they are who they say they are. Typical computer logon accounts are examples of authentication, where the password serves as the information used to assure a user's identity. Username-password systems over the internet need to be a bit more complicated than that, in that even the username and password have to be secured before sending them to the remote server. That is, the user needs to authenticate the remote server and encrypt her confidential information before sending it. X.509 has emerged as the de-facto standard used to do this, and is what DataONE uses for authentication.q|h)hEh*h+h,hVh.}q}(h0]h1]h2]h3]h5]uh7Kh8hh#]q~hAX¹In authentication, the user provides their username along with other information that gives assurances that they are who they say they are. Typical computer logon accounts are examples of authentication, where the password serves as the information used to assure a user's identity. Username-password systems over the internet need to be a bit more complicated than that, in that even the username and password have to be secured before sending them to the remote server. That is, the user needs to authenticate the remote server and encrypt her confidential information before sending it. X.509 has emerged as the de-facto standard used to do this, and is what DataONE uses for authentication.q…q€}q(h(h|h)hzubaubeubh%)q‚}qƒ(h(Uh)h&h*h+h,h-h.}q„(h0]h1]h2]h3]q…hah5]q†hauh7K!h8hh#]q‡(h:)qˆ}q‰(h(XX.509 AuthenticationqŠh)h‚h*h+h,h>h.}q‹(h0]h1]h2]h3]h5]uh7K!h8hh#]qŒhAXX.509 Authenticationq…qŽ}q(h(hŠh)hˆubaubhS)q}q‘(h(XûX.509 is a public infrastructure that provides for a way to trust newly-encountered entities through a strict chain-of-trust system. It works though a public key infrastructure where trusted third parties known as Certificate Authorities (CA) issue certificates to entities that they can send to end-users and use for encrypted communication. Through chain-of-trust, if the issuing CA (who's identity is contained in the certificate sent to the end-user) is trusted by the end-user, then the end-user trusts the entity sending them the certificate. Major internet browsers come pre-packaged with a set of CA certificates from well-established and reputable CAs. Certificates signed by one of these CAs can be referred to as "commercially-signed" certificates.q’h)h‚h*h+h,hVh.}q“(h0]h1]h2]h3]h5]uh7K"h8hh#]q”hAXûX.509 is a public infrastructure that provides for a way to trust newly-encountered entities through a strict chain-of-trust system. It works though a public key infrastructure where trusted third parties known as Certificate Authorities (CA) issue certificates to entities that they can send to end-users and use for encrypted communication. Through chain-of-trust, if the issuing CA (who's identity is contained in the certificate sent to the end-user) is trusted by the end-user, then the end-user trusts the entity sending them the certificate. Major internet browsers come pre-packaged with a set of CA certificates from well-established and reputable CAs. Certificates signed by one of these CAs can be referred to as "commercially-signed" certificates.q•…q–}q—(h(h’h)hubaubhS)q˜}q™(h(XâFor example, VeriSign and Thawte are two well-known CAs. Imagine a bank purchases a certificate from VeriSign to use in online transactions with customers. When customers connect to the bank's web-site, their browser receives the bank's certificate, and traces the signing chain, finding VeriSign as the signer. If it finds the VeriSign certificate in its local trusted CA list, then it trusts that the certificate it just received is the bank's, and can authenticate the connection. Otherwise, authentication fails, and the web page is not loaded. (At this point, some browsers appeal to the user that it doesn't trust the signer of the certificate, and asks the user if they should, by adding the signer to their list of trusted CAs.)qšh)h‚h*h+h,hVh.}q›(h0]h1]h2]h3]h5]uh7K.h8hh#]qœhAXâFor example, VeriSign and Thawte are two well-known CAs. Imagine a bank purchases a certificate from VeriSign to use in online transactions with customers. When customers connect to the bank's web-site, their browser receives the bank's certificate, and traces the signing chain, finding VeriSign as the signer. If it finds the VeriSign certificate in its local trusted CA list, then it trusts that the certificate it just received is the bank's, and can authenticate the connection. Otherwise, authentication fails, and the web page is not loaded. (At this point, some browsers appeal to the user that it doesn't trust the signer of the certificate, and asks the user if they should, by adding the signer to their list of trusted CAs.)q…qž}qŸ(h(hšh)h˜ubaubeubh%)q }q¡(h(Uh)h&h*h+h,h-h.}q¢(h0]h1]h2]h3]q£hah5]q¤hauh7K9h8hh#]q¥(h:)q¦}q§(h(XSelf-signed Certificatesq¨h)h h*h+h,h>h.}q©(h0]h1]h2]h3]h5]uh7K9h8hh#]qªhAXSelf-signed Certificatesq«…q¬}q­(h(h¨h)h¦ubaubhS)q®}q¯(h(XIt's possible for organizations to create their own signing authority, and use those. These types of certificates are generally only useful for situations where trust can be established in other ways - in other words, where the client and the server know each other. Prime examples of this are certificates used by corporations for internal applications, where system administrators can install the certificate on behalf of users. DataONE uses this type of certificate to authenticate requests between Nodes in its network.q°h)h h*h+h,hVh.}q±(h0]h1]h2]h3]h5]uh7K:h8hh#]q²hAXIt's possible for organizations to create their own signing authority, and use those. These types of certificates are generally only useful for situations where trust can be established in other ways - in other words, where the client and the server know each other. Prime examples of this are certificates used by corporations for internal applications, where system administrators can install the certificate on behalf of users. DataONE uses this type of certificate to authenticate requests between Nodes in its network.q³…q´}qµ(h(h°h)h®ubaubeubh%)q¶}q·(h(Uh)h&h*h+h,h-h.}q¸(h0]h1]h2]h3]q¹h"ah5]qºhauh7KCh8hh#]q»(h:)q¼}q½(h(XDataONE Authenticationq¾h)h¶h*h+h,h>h.}q¿(h0]h1]h2]h3]h5]uh7KCh8hh#]qÀhAXDataONE AuthenticationqÁ…qÂ}qÃ(h(h¾h)h¼ubaubhS)qÄ}qÅ(h(X÷In the above example, the end-user provides a username and password to authenticate themselves, while the web-server authenticates itself to the end-user using a certificate. This approach doesn't work in the distributed DataONE environment, where servers communicate with other servers, as well as end-users. Instead, DataONE relies on both end-users and servers (the MNs and CNs) to use these X.509 certificates to authenticate themselves, and relies on CILogon to provide certificates to end-users.qÆh)h¶h*h+h,hVh.}qÇ(h0]h1]h2]h3]h5]uh7KDh8hh#]qÈhAX÷In the above example, the end-user provides a username and password to authenticate themselves, while the web-server authenticates itself to the end-user using a certificate. This approach doesn't work in the distributed DataONE environment, where servers communicate with other servers, as well as end-users. Instead, DataONE relies on both end-users and servers (the MNs and CNs) to use these X.509 certificates to authenticate themselves, and relies on CILogon to provide certificates to end-users.qÉ…qÊ}qË(h(hÆh)hÄubaubhS)qÌ}qÍ(h(X The use of CILogon has two main advantages for end-users. First, they can use existing accounts to obtain certificates, so don't need to create and remember another username and password combination. Second, once they have downloaded the certificate, it will secure connections with all DataONE nodes throughout the day, and can be used by multiple DataONE applications. This technique is known as single-sign-on.qÎh)h¶h*h+h,hVh.}qÏ(h0]h1]h2]h3]h5]uh7KLh8hh#]qÐhAX The use of CILogon has two main advantages for end-users. First, they can use existing accounts to obtain certificates, so don't need to create and remember another username and password combination. Second, once they have downloaded the certificate, it will secure connections with all DataONE nodes throughout the day, and can be used by multiple DataONE applications. This technique is known as single-sign-on.qÑ…qÒ}qÓ(h(hÎh)hÌubaubhS)qÔ}qÕ(h(X5CILogon certificates issued for DataONE also have a third feature: they include additional DataONE Subjects mapped to the certificate's Subject through DataONE's identity management service, the DataONE Portal. In a nutshell, a DataONE identity is the set of user accounts and groups that a person maintains.qÖh)h¶h*h+h,hVh.}q×(h0]h1]h2]h3]h5]uh7KSh8hh#]qØhAX5CILogon certificates issued for DataONE also have a third feature: they include additional DataONE Subjects mapped to the certificate's Subject through DataONE's identity management service, the DataONE Portal. In a nutshell, a DataONE identity is the set of user accounts and groups that a person maintains.qÙ…qÚ}qÛ(h(hÖh)hÔubaubhS)qÜ}qÝ(h(X/For more information on CILogon see their FAQ_.qÞh)h¶h*h+h,hVh.}qß(h0]h1]h2]h3]h5]uh7KXh8hh#]qà(hAX*For more information on CILogon see their qá…qâ}qã(h(X*For more information on CILogon see their h)hÜubcdocutils.nodes reference qä)qå}qæ(h(XFAQ_UresolvedqçKh)hÜh,U referenceqèh.}qé(UnameXFAQUrefuriqêXhttp://www.cilogon.org/faqqëh3]h2]h0]h1]h5]uh#]qìhAXFAQqí…qî}qï(h(Uh)håubaubhAX.…qð}qñ(h(X.h)hÜubeubhS)qò}qó(h(X.The DataONE landing page for CILogon is here_.qôh)h¶h*h+h,hVh.}qõ(h0]h1]h2]h3]h5]uh7KZh8hh#]qö(hAX(The DataONE landing page for CILogon is q÷…qø}qù(h(X(The DataONE landing page for CILogon is h)hòubhä)qú}qû(h(Xhere_hçKh)hòh,hèh.}qü(UnameXhereqýhêX!https://cilogon.org/?skin=DataONEqþh3]h2]h0]h1]h5]uh#]qÿhAXherer…r}r(h(Uh)húubaubhAX.…r}r(h(X.h)hòubeubcdocutils.nodes target r)r}r(h(X#.. _FAQ: http://www.cilogon.org/faqU referencedrKh)h¶h*h+h,Utargetr h.}r (hêhëh3]r hah2]h0]h1]h5]r h auh7K\h8hh#]ubj)r }r(h(X+.. _here: https://cilogon.org/?skin=DataONEjKh)h¶h*h+h,j h.}r(hêhþh3]rhah2]h0]h1]h5]rh auh7K]h8hh#]ubeubh%)r}r(h(Uh)h&h*h+h,h-h.}r(h0]h1]h2]h3]rh!ah5]rhauh7Kah8hh#]r(h:)r}r(h(XMember Node Certificatesrh)jh*h+h,h>h.}r(h0]h1]h2]h3]h5]uh7Kah8hh#]rhAXMember Node Certificatesr…r}r(h(jh)jubaubhS)r }r!(h(X¡Member Nodes cannot not use CILogon certificates to make calls to other DataONE nodes (as they are short-lived), but rather they use long-lived X.509 certificates issued by DataONE when they register their node with the DataONE network. Note that this DataONE-signed certificate is only used for initiating requests, and is not used when responding to requests. In other words, it is used only when the Member Node is as acting as a client making requests. In this situation, the connection manager it uses for the request will receive a commercially-signed certificate from the other DataONE Node during the request handshake, and so no special trust needs to be set up.r"h)jh*h+h,hVh.}r#(h0]h1]h2]h3]h5]uh7Kbh8hh#]r$hAX¡Member Nodes cannot not use CILogon certificates to make calls to other DataONE nodes (as they are short-lived), but rather they use long-lived X.509 certificates issued by DataONE when they register their node with the DataONE network. Note that this DataONE-signed certificate is only used for initiating requests, and is not used when responding to requests. In other words, it is used only when the Member Node is as acting as a client making requests. In this situation, the connection manager it uses for the request will receive a commercially-signed certificate from the other DataONE Node during the request handshake, and so no special trust needs to be set up.r%…r&}r'(h(j"h)j ubaubhS)r(}r)(h(XßNote that the behavior of the "other DataONE Node" from above is the same behavior the Member Node needs when responding to DataONE service API requests. This certificate is known as the Member Node's *server* certificate.h)jh*h+h,hVh.}r*(h0]h1]h2]h3]h5]uh7Klh8hh#]r+(hAXÊNote that the behavior of the "other DataONE Node" from above is the same behavior the Member Node needs when responding to DataONE service API requests. This certificate is known as the Member Node's r,…r-}r.(h(XÊNote that the behavior of the "other DataONE Node" from above is the same behavior the Member Node needs when responding to DataONE service API requests. This certificate is known as the Member Node's h)j(ubh\)r/}r0(h(X*server*h.}r1(h0]h1]h2]h3]h5]uh)j(h#]r2hAXserverr3…r4}r5(h(Uh)j/ubah,hdubhAX certificate.r6…r7}r8(h(X certificate.h)j(ubeubhS)r9}r:(h(X´In short, Member Nodes (and Coordinating Nodes) acts both as a client and as a server. In its client role, the Member Node uses its DataONE issued and signed certificate, and needs to trust only commercially signed certificates. In its server role, it needs to accept CILogon-issued-commercially-signed certificates as well as DataONE signed certificates from requesters, and respond with a commercially-signed certificate of its own.r;h)jh*h+h,hVh.}r<(h0]h1]h2]h3]h5]uh7Kph8hh#]r=hAX´In short, Member Nodes (and Coordinating Nodes) acts both as a client and as a server. In its client role, the Member Node uses its DataONE issued and signed certificate, and needs to trust only commercially signed certificates. In its server role, it needs to accept CILogon-issued-commercially-signed certificates as well as DataONE signed certificates from requesters, and respond with a commercially-signed certificate of its own.r>…r?}r@(h(j;h)j9ubaubeubh%)rA}rB(h(Uh)h&h*h+h,h-h.}rC(h0]h1]h2]h3]rDhah5]rEh auh7Kyh8hh#]rF(h:)rG}rH(h(XTrust RelationshipsrIh)jAh*h+h,h>h.}rJ(h0]h1]h2]h3]h5]uh7Kyh8hh#]rKhAXTrust RelationshipsrL…rM}rN(h(jIh)jGubaubhS)rO}rP(h(X?Below illustrates the certificates used for making requests...rQh)jAh*h+h,hVh.}rR(h0]h1]h2]h3]h5]uh7K{h8hh#]rShAX?Below illustrates the certificates used for making requests...rT…rU}rV(h(jQh)jOubaubcdocutils.nodes table rW)rX}rY(h(Uh)jAh*h+h,UtablerZh.}r[(h0]h1]h2]h3]h5]uh7Nh8hh#]r\cdocutils.nodes tgroup r])r^}r_(h(Uh.}r`(h3]h2]h0]h1]h5]UcolsKuh)jXh#]ra(cdocutils.nodes colspec rb)rc}rd(h(Uh.}re(h3]h2]h0]h1]h5]UcolwidthKuh)j^h#]h,Ucolspecrfubjb)rg}rh(h(Uh.}ri(h3]h2]h0]h1]h5]UcolwidthKuh)j^h#]h,jfubjb)rj}rk(h(Uh.}rl(h3]h2]h0]h1]h5]UcolwidthKuh)j^h#]h,jfubcdocutils.nodes thead rm)rn}ro(h(Uh.}rp(h0]h1]h2]h3]h5]uh)j^h#]rqcdocutils.nodes row rr)rs}rt(h(Uh.}ru(h0]h1]h2]h3]h5]uh)jnh#]rv(cdocutils.nodes entry rw)rx}ry(h(Uh.}rz(h0]h1]h2]h3]h5]uh)jsh#]r{hS)r|}r}(h(XClient / Requesterr~h)jxh*h+h,hVh.}r(h0]h1]h2]h3]h5]uh7Kh#]r€hAXClient / Requesterr…r‚}rƒ(h(j~h)j|ubaubah,Uentryr„ubjw)r…}r†(h(Uh.}r‡(h0]h1]h2]h3]h5]uh)jsh#]rˆhS)r‰}rŠ(h(Xrequests usingr‹h)j…h*h+h,hVh.}rŒ(h0]h1]h2]h3]h5]uh7Kh#]rhAXrequests usingrŽ…r}r(h(j‹h)j‰ubaubah,j„ubjw)r‘}r’(h(Uh.}r“(h0]h1]h2]h3]h5]uh)jsh#]r”hS)r•}r–(h(Xrequest cert. typer—h)j‘h*h+h,hVh.}r˜(h0]h1]h2]h3]h5]uh7Kh#]r™hAXrequest cert. typerš…r›}rœ(h(j—h)j•ubaubah,j„ubeh,Urowrubah,Utheadržubcdocutils.nodes tbody rŸ)r }r¡(h(Uh.}r¢(h0]h1]h2]h3]h5]uh)j^h#]r£(jr)r¤}r¥(h(Uh.}r¦(h0]h1]h2]h3]h5]uh)j h#]r§(jw)r¨}r©(h(Uh.}rª(h0]h1]h2]h3]h5]uh)j¤h#]r«hS)r¬}r­(h(XEnd-userr®h)j¨h*h+h,hVh.}r¯(h0]h1]h2]h3]h5]uh7Kh#]r°hAXEnd-userr±…r²}r³(h(j®h)j¬ubaubah,j„ubjw)r´}rµ(h(Uh.}r¶(h0]h1]h2]h3]h5]uh)j¤h#]r·hS)r¸}r¹(h(XCILogon-signed cert.rºh)j´h*h+h,hVh.}r»(h0]h1]h2]h3]h5]uh7Kh#]r¼hAXCILogon-signed cert.r½…r¾}r¿(h(jºh)j¸ubaubah,j„ubjw)rÀ}rÁ(h(Uh.}rÂ(h0]h1]h2]h3]h5]uh)j¤h#]rÃhS)rÄ}rÅ(h(Xshort-lived, commercialrÆh)jÀh*h+h,hVh.}rÇ(h0]h1]h2]h3]h5]uh7Kh#]rÈhAXshort-lived, commercialrÉ…rÊ}rË(h(jÆh)jÄubaubah,j„ubeh,jubjr)rÌ}rÍ(h(Uh.}rÎ(h0]h1]h2]h3]h5]uh)j h#]rÏ(jw)rÐ}rÑ(h(Uh.}rÒ(h0]h1]h2]h3]h5]uh)jÌh#]rÓhS)rÔ}rÕ(h(XCoordinating NoderÖh)jÐh*h+h,hVh.}r×(h0]h1]h2]h3]h5]uh7Kƒh#]rØhAXCoordinating NoderÙ…rÚ}rÛ(h(jÖh)jÔubaubah,j„ubjw)rÜ}rÝ(h(Uh.}rÞ(h0]h1]h2]h3]h5]uh)jÌh#]rßhS)rà}rá(h(XDataONE-signed cert.râh)jÜh*h+h,hVh.}rã(h0]h1]h2]h3]h5]uh7Kƒh#]rähAXDataONE-signed cert.rå…ræ}rç(h(jâh)jàubaubah,j„ubjw)rè}ré(h(Uh.}rê(h0]h1]h2]h3]h5]uh)jÌh#]rëhS)rì}rí(h(Xlong-lived, non-commercialrîh)jèh*h+h,hVh.}rï(h0]h1]h2]h3]h5]uh7Kƒh#]rðhAXlong-lived, non-commercialrñ…rò}ró(h(jîh)jìubaubah,j„ubeh,jubjr)rô}rõ(h(Uh.}rö(h0]h1]h2]h3]h5]uh)j h#]r÷(jw)rø}rù(h(Uh.}rú(h0]h1]h2]h3]h5]uh)jôh#]rûhS)rü}rý(h(X Member Noderþh)jøh*h+h,hVh.}rÿ(h0]h1]h2]h3]h5]uh7K…h#]rhAX Member Noder…r}r(h(jþh)jüubaubah,j„ubjw)r}r(h(Uh.}r(h0]h1]h2]h3]h5]uh)jôh#]rhS)r}r (h(XDataONE-signed cert.r h)jh*h+h,hVh.}r (h0]h1]h2]h3]h5]uh7K…h#]r hAXDataONE-signed cert.r …r}r(h(j h)jubaubah,j„ubjw)r}r(h(Uh.}r(h0]h1]h2]h3]h5]uh)jôh#]rhS)r}r(h(Xlong-lived, non-commercialrh)jh*h+h,hVh.}r(h0]h1]h2]h3]h5]uh7K…h#]rhAXlong-lived, non-commercialr…r}r(h(jh)jubaubah,j„ubeh,jubeh,Utbodyrubeh,UtgrouprubaubhS)r}r(h(X+... and the certificates given in response.r h)jAh*h+h,hVh.}r!(h0]h1]h2]h3]h5]uh7Kˆh8hh#]r"hAX+... and the certificates given in response.r#…r$}r%(h(j h)jubaubjW)r&}r'(h(Uh)jAh*h+h,jZh.}r((h0]h1]h2]h3]h5]uh7Nh8hh#]r)j])r*}r+(h(Uh.}r,(h3]h2]h0]h1]h5]UcolsKuh)j&h#]r-(jb)r.}r/(h(Uh.}r0(h3]h2]h0]h1]h5]UcolwidthKuh)j*h#]h,jfubjb)r1}r2(h(Uh.}r3(h3]h2]h0]h1]h5]UcolwidthKuh)j*h#]h,jfubjm)r4}r5(h(Uh.}r6(h0]h1]h2]h3]h5]uh)j*h#]r7jr)r8}r9(h(Uh.}r:(h0]h1]h2]h3]h5]uh)j4h#]r;(jw)r<}r=(h(Uh.}r>(h0]h1]h2]h3]h5]uh)j8h#]r?hS)r@}rA(h(XServerrBh)j<h*h+h,hVh.}rC(h0]h1]h2]h3]h5]uh7K‹h#]rDhAXServerrE…rF}rG(h(jBh)j@ubaubah,j„ubjw)rH}rI(h(Uh.}rJ(h0]h1]h2]h3]h5]uh)j8h#]rKhS)rL}rM(h(X responds withrNh)jHh*h+h,hVh.}rO(h0]h1]h2]h3]h5]uh7K‹h#]rPhAX responds withrQ…rR}rS(h(jNh)jLubaubah,j„ubeh,jubah,jžubjŸ)rT}rU(h(Uh.}rV(h0]h1]h2]h3]h5]uh)j*h#]rW(jr)rX}rY(h(Uh.}rZ(h0]h1]h2]h3]h5]uh)jTh#]r[(jw)r\}r](h(Uh.}r^(h0]h1]h2]h3]h5]uh)jXh#]r_hS)r`}ra(h(XCoordinating Noderbh)j\h*h+h,hVh.}rc(h0]h1]h2]h3]h5]uh7Kh#]rdhAXCoordinating Nodere…rf}rg(h(jbh)j`ubaubah,j„ubjw)rh}ri(h(Uh.}rj(h0]h1]h2]h3]h5]uh)jXh#]rkhS)rl}rm(h(Xcommercially-signed certrnh)jhh*h+h,hVh.}ro(h0]h1]h2]h3]h5]uh7Kh#]rphAXcommercially-signed certrq…rr}rs(h(jnh)jlubaubah,j„ubeh,jubjr)rt}ru(h(Uh.}rv(h0]h1]h2]h3]h5]uh)jTh#]rw(jw)rx}ry(h(Uh.}rz(h0]h1]h2]h3]h5]uh)jth#]r{hS)r|}r}(h(X Member Noder~h)jxh*h+h,hVh.}r(h0]h1]h2]h3]h5]uh7Kh#]r€hAX Member Noder…r‚}rƒ(h(j~h)j|ubaubah,j„ubjw)r„}r…(h(Uh.}r†(h0]h1]h2]h3]h5]uh)jth#]r‡hS)rˆ}r‰(h(Xcommercially-signed certrŠh)j„h*h+h,hVh.}r‹(h0]h1]h2]h3]h5]uh7Kh#]rŒhAXcommercially-signed certr…rŽ}r(h(jŠh)jˆubaubah,j„ubeh,jubeh,jubeh,jubaubeubh%)r}r‘(h(Uh)h&h*h+h,h-h.}r’(h0]h1]h2]h3]r“h ah5]r”h auh7K”h8hh#]r•(h:)r–}r—(h(X*Regarding Commercially-Signed Certificatesr˜h)jh*h+h,h>h.}r™(h0]h1]h2]h3]h5]uh7K”h8hh#]ršhAX*Regarding Commercially-Signed Certificatesr›…rœ}r(h(j˜h)j–ubaubhS)rž}rŸ(h(XÄClient applications use client connection managers to set up the SSL connection that will exchange certificates, and most connection managers come configured with mostly the same set of CAs that they trust. However, the overlap is not complete, so Member Nodes should take extra care to test that their server certificate is widely trusted by all major browsers, (Java) JVMs, and OS-specific trust-stores, so that their data is most widely accessible.r h)jh*h+h,hVh.}r¡(h0]h1]h2]h3]h5]uh7K•h8hh#]r¢hAXÄClient applications use client connection managers to set up the SSL connection that will exchange certificates, and most connection managers come configured with mostly the same set of CAs that they trust. However, the overlap is not complete, so Member Nodes should take extra care to test that their server certificate is widely trusted by all major browsers, (Java) JVMs, and OS-specific trust-stores, so that their data is most widely accessible.r£…r¤}r¥(h(j h)jžubaubeubeubah(UU transformerr¦NU footnote_refsr§}r¨Urefnamesr©}rª(Xfaq]r«håahý]r¬húauUsymbol_footnotesr­]r®Uautofootnote_refsr¯]r°Usymbol_footnote_refsr±]r²U citationsr³]r´h8hU current_linerµNUtransform_messagesr¶]r·Ureporterr¸NUid_startr¹KU autofootnotesrº]r»U citation_refsr¼}r½Uindirect_targetsr¾]r¿UsettingsrÀ(cdocutils.frontend Values rÁorÂ}rÃ(Ufootnote_backlinksrÄKUrecord_dependenciesrÅNU rfc_base_urlrÆUhttps://tools.ietf.org/html/rÇU tracebackrȈUpep_referencesrÉNUstrip_commentsrÊNU toc_backlinksrËj„U language_coderÌUenrÍU datestamprÎNU report_levelrÏKU _destinationrÐNU halt_levelrÑKU strip_classesrÒNh>NUerror_encoding_error_handlerrÓUbackslashreplacerÔUdebugrÕNUembed_stylesheetrÖ‰Uoutput_encoding_error_handlerr×UstrictrØU sectnum_xformrÙKUdump_transformsrÚNU docinfo_xformrÛKUwarning_streamrÜNUpep_file_url_templaterÝUpep-%04drÞUexit_status_levelrßKUconfigràNUstrict_visitorráNUcloak_email_addressesrâˆUtrim_footnote_reference_spacerã‰UenvräNUdump_pseudo_xmlråNUexpose_internalsræNUsectsubtitle_xformrç‰U source_linkrèNUrfc_referencesréNUoutput_encodingrêUutf-8rëU source_urlrìNUinput_encodingríU utf-8-sigrîU_disable_configrïNU id_prefixrðUU tab_widthrñKUerror_encodingròUUTF-8róU_sourcerôh+Ugettext_compactrõˆU generatorröNUdump_internalsr÷NU smart_quotesrø‰U pep_base_urlrùU https://www.python.org/dev/peps/rúUsyntax_highlightrûUlongrüUinput_encoding_error_handlerrýjØUauto_id_prefixrþUidrÿUdoctitle_xformr‰Ustrip_elements_with_classesrNU _config_filesr]Ufile_insertion_enabledrˆU raw_enabledrKU dump_settingsrNubUsymbol_footnote_startrKUidsr}r(hjAhh‚hjhh&hj hh h jh!jh"h¶hhEuUsubstitution_namesr }r h,h8h.}r (h0]h3]h2]Usourceh+h1]h5]uU footnotesr ]r Urefidsr}rub.