Äcdocutils.nodes
document
q)Åq}q(U	nametypesq}q(X���self-signed certificatesqNX*���authorization vs. authentication: a primerqNX���x.509 authenticationqNX���faqq	àX���trust relationshipsq
NX+���authorization and authentication in dataoneqNX���hereqàX*���regarding commercially-signed certificatesq
NX���member node certificatesqNX���dataone authenticationqNuUsubstitution_defsq}qUparse_messagesq]qUcurrent_sourceqNU
decorationqNUautofootnote_startqKUnameidsq}q(hUself-signed-certificatesqhU(authorization-vs-authentication-a-primerqhUx-509-authenticationqh	Ufaqqh
Utrust-relationshipsqhU+authorization-and-authentication-in-dataoneqhUhereqh
U*regarding-commercially-signed-certificatesq hUmember-node-certificatesq!hUdataone-authenticationq"uUchildrenq#]q$cdocutils.nodes
section
q%)Åq&}q'(U	rawsourceq(U�Uparentq)hUsourceq*Xz���/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/AuthorizationAndAuthentication.txtq+Utagnameq,Usectionq-U
attributesq.}q/(Udupnamesq0]Uclassesq1]Ubackrefsq2]Uidsq3]q4haUnamesq5]q6hauUlineq7KUdocumentq8hh#]q9(cdocutils.nodes
title
q:)Åq;}q<(h(X+���Authorization and Authentication in DataONEq=h)h&h*h+h,Utitleq>h.}q?(h0]h1]h2]h3]h5]uh7Kh8hh#]q@cdocutils.nodes
Text
qAX+���Authorization and Authentication in DataONEqBÖÅqC}qD(h(h=h)h;ubaubh%)ÅqE}qF(h(U�h)h&h*h+h,h-h.}qG(h0]h1]h2]h3]qHhah5]qIhauh7Kh8hh#]qJ(h:)ÅqK}qL(h(X*���Authorization vs. Authentication: A PrimerqMh)hEh*h+h,h>h.}qN(h0]h1]h2]h3]h5]uh7Kh8hh#]qOhAX*���Authorization vs. Authentication: A PrimerqPÖÅqQ}qR(h(hMh)hKubaubcdocutils.nodes
paragraph
qS)ÅqT}qU(h(Xk��The process of confirming whether a user has privileges to access a resource
or use a service is called *authorization*.  *Authentication,*  on the other hand,
is the process of
determining whether or not a user is who they say they are. Both are required of
a security architecture to ensure that the right people have the right access to
resources and services.h)hEh*h+h,U	paragraphqVh.}qW(h0]h1]h2]h3]h5]uh7Kh8hh#]qX(hAXh���The process of confirming whether a user has privileges to access a resource
or use a service is called qYÖÅqZ}q[(h(Xh���The process of confirming whether a user has privileges to access a resource
or use a service is called h)hTubcdocutils.nodes
emphasis
q\)Åq]}q^(h(X���*authorization*h.}q_(h0]h1]h2]h3]h5]uh)hTh#]q`hAX
���authorizationqaÖÅqb}qc(h(U�h)h]ubah,UemphasisqdubhAX���.  qeÖÅqf}qg(h(X���.  h)hTubh\)Åqh}qi(h(X���*Authentication,*h.}qj(h0]h1]h2]h3]h5]uh)hTh#]qkhAX���Authentication,qlÖÅqm}qn(h(U�h)hhubah,hdubhAX‡���  on the other hand,
is the process of
determining whether or not a user is who they say they are. Both are required of
a security architecture to ensure that the right people have the right access to
resources and services.qoÖÅqp}qq(h(X‡���  on the other hand,
is the process of
determining whether or not a user is who they say they are. Both are required of
a security architecture to ensure that the right people have the right access to
resources and services.h)hTubeubhS)Åqr}qs(h(Xi��Authorization is achieved through the association of usernames (Subjects) and
permissions with the resources and services being secured.  Typically, this is
done using access control lists (ACL). When a request is made, the identity of
the user is looked up in the ACL, and the appropriate action is taken based on
the user's permissions.  DataONE uses Subjects contained in a resource's
SystemMetadata, as well as Subjects in the Authoritative Member Node's Node
document as the ACL for the resource when making authorization decisions.
The latter is used primarily for administrative actions and to secure services.qth)hEh*h+h,hVh.}qu(h0]h1]h2]h3]h5]uh7K
h8hh#]qvhAXi��Authorization is achieved through the association of usernames (Subjects) and
permissions with the resources and services being secured.  Typically, this is
done using access control lists (ACL). When a request is made, the identity of
the user is looked up in the ACL, and the appropriate action is taken based on
the user's permissions.  DataONE uses Subjects contained in a resource's
SystemMetadata, as well as Subjects in the Authoritative Member Node's Node
document as the ACL for the resource when making authorization decisions.
The latter is used primarily for administrative actions and to secure services.qwÖÅqx}qy(h(hth)hrubaubhS)Åqz}q{(h(Xπ��In authentication, the user provides their username along with
other information that gives assurances that they are who they say they are.
Typical computer logon accounts are examples of authentication, where the password
serves as the information used to assure a user's identity.  Username-password
systems over the internet need to be a bit more complicated than that, in that
even the username and password have to be secured before sending them to the
remote server.  That is, the user needs to authenticate the remote server and
encrypt her confidential information before sending it.  X.509 has emerged as the
de-facto standard used to do this, and is what DataONE uses for authentication.q|h)hEh*h+h,hVh.}q}(h0]h1]h2]h3]h5]uh7Kh8hh#]q~hAXπ��In authentication, the user provides their username along with
other information that gives assurances that they are who they say they are.
Typical computer logon accounts are examples of authentication, where the password
serves as the information used to assure a user's identity.  Username-password
systems over the internet need to be a bit more complicated than that, in that
even the username and password have to be secured before sending them to the
remote server.  That is, the user needs to authenticate the remote server and
encrypt her confidential information before sending it.  X.509 has emerged as the
de-facto standard used to do this, and is what DataONE uses for authentication.qÖÅqÄ}qÅ(h(h|h)hzubaubeubh%)ÅqÇ}qÉ(h(U�h)h&h*h+h,h-h.}qÑ(h0]h1]h2]h3]qÖhah5]qÜhauh7K!h8hh#]qá(h:)Åqà}qâ(h(X���X.509 Authenticationqäh)hÇh*h+h,h>h.}qã(h0]h1]h2]h3]h5]uh7K!h8hh#]qåhAX���X.509 AuthenticationqçÖÅqé}qè(h(häh)hàubaubhS)Åqê}që(h(X˚��X.509 is a public infrastructure that provides for a way to trust newly-encountered
entities through a strict chain-of-trust system.  It works though a public key
infrastructure where trusted third parties known as Certificate Authorities (CA)
issue certificates to entities that they can send to end-users and use for encrypted
communication.  Through chain-of-trust, if the issuing CA (who's identity is
contained in the certificate sent to the end-user) is trusted by the end-user,
then the end-user trusts the entity sending them the certificate.  Major internet
browsers come pre-packaged with a set of CA certificates from well-established and
reputable CAs.  Certificates signed by one of these CAs can be referred to as
"commercially-signed" certificates.qíh)hÇh*h+h,hVh.}qì(h0]h1]h2]h3]h5]uh7K"h8hh#]qîhAX˚��X.509 is a public infrastructure that provides for a way to trust newly-encountered
entities through a strict chain-of-trust system.  It works though a public key
infrastructure where trusted third parties known as Certificate Authorities (CA)
issue certificates to entities that they can send to end-users and use for encrypted
communication.  Through chain-of-trust, if the issuing CA (who's identity is
contained in the certificate sent to the end-user) is trusted by the end-user,
then the end-user trusts the entity sending them the certificate.  Major internet
browsers come pre-packaged with a set of CA certificates from well-established and
reputable CAs.  Certificates signed by one of these CAs can be referred to as
"commercially-signed" certificates.qïÖÅqñ}qó(h(híh)hêubaubhS)Åqò}qô(h(X‚��For example, VeriSign and Thawte are two well-known CAs.  Imagine a bank purchases
a certificate from VeriSign to use in online transactions with customers.  When
customers connect to the bank's web-site, their browser receives the bank's
certificate, and traces the signing chain, finding VeriSign as the signer. If it
finds the VeriSign certificate in its local trusted CA list, then it trusts that
the certificate it just received is the bank's, and can authenticate the connection.
Otherwise, authentication fails, and the web page is not loaded. (At this point,
some browsers appeal to the user that it doesn't trust the signer of the certificate,
and asks the user if they should, by adding the signer to their list of trusted CAs.)qöh)hÇh*h+h,hVh.}qõ(h0]h1]h2]h3]h5]uh7K.h8hh#]qúhAX‚��For example, VeriSign and Thawte are two well-known CAs.  Imagine a bank purchases
a certificate from VeriSign to use in online transactions with customers.  When
customers connect to the bank's web-site, their browser receives the bank's
certificate, and traces the signing chain, finding VeriSign as the signer. If it
finds the VeriSign certificate in its local trusted CA list, then it trusts that
the certificate it just received is the bank's, and can authenticate the connection.
Otherwise, authentication fails, and the web page is not loaded. (At this point,
some browsers appeal to the user that it doesn't trust the signer of the certificate,
and asks the user if they should, by adding the signer to their list of trusted CAs.)qùÖÅqû}qü(h(höh)hòubaubeubh%)Åq†}q°(h(U�h)h&h*h+h,h-h.}q¢(h0]h1]h2]h3]q£hah5]q§hauh7K9h8hh#]q•(h:)Åq¶}qß(h(X���Self-signed Certificatesq®h)h†h*h+h,h>h.}q©(h0]h1]h2]h3]h5]uh7K9h8hh#]q™hAX���Self-signed Certificatesq´ÖÅq¨}q≠(h(h®h)h¶ubaubhS)ÅqÆ}qØ(h(X��It's possible for organizations to create their own signing authority, and use
those.  These types of certificates are generally only useful for situations
where trust can be established in other ways - in other words, where the client
and the server know each other.  Prime examples of this are certificates used
by corporations for internal applications, where system administrators can install
the certificate on behalf of users.  DataONE uses this type of certificate to
authenticate requests between Nodes in its network.q∞h)h†h*h+h,hVh.}q±(h0]h1]h2]h3]h5]uh7K:h8hh#]q≤hAX��It's possible for organizations to create their own signing authority, and use
those.  These types of certificates are generally only useful for situations
where trust can be established in other ways - in other words, where the client
and the server know each other.  Prime examples of this are certificates used
by corporations for internal applications, where system administrators can install
the certificate on behalf of users.  DataONE uses this type of certificate to
authenticate requests between Nodes in its network.q≥ÖÅq¥}qµ(h(h∞h)hÆubaubeubh%)Åq∂}q∑(h(U�h)h&h*h+h,h-h.}q∏(h0]h1]h2]h3]qπh"ah5]q∫hauh7KCh8hh#]qª(h:)Åqº}qΩ(h(X���DataONE Authenticationqæh)h∂h*h+h,h>h.}qø(h0]h1]h2]h3]h5]uh7KCh8hh#]q¿hAX���DataONE Authenticationq¡ÖÅq¬}q√(h(hæh)hºubaubhS)Åqƒ}q≈(h(X˜��In the above example, the end-user provides a username and password to authenticate
themselves, while the web-server authenticates itself to the end-user using a
certificate.  This approach doesn't work in the distributed DataONE environment,
where servers communicate with other servers, as well as end-users.  Instead,
DataONE relies on both end-users and servers (the MNs and CNs) to use these X.509
certificates to authenticate themselves, and relies on CILogon to provide
certificates to end-users.q∆h)h∂h*h+h,hVh.}q«(h0]h1]h2]h3]h5]uh7KDh8hh#]q»hAX˜��In the above example, the end-user provides a username and password to authenticate
themselves, while the web-server authenticates itself to the end-user using a
certificate.  This approach doesn't work in the distributed DataONE environment,
where servers communicate with other servers, as well as end-users.  Instead,
DataONE relies on both end-users and servers (the MNs and CNs) to use these X.509
certificates to authenticate themselves, and relies on CILogon to provide
certificates to end-users.q…ÖÅq }qÀ(h(h∆h)hƒubaubhS)ÅqÃ}qÕ(h(X†��The use of CILogon has two main advantages for end-users.  First, they can use existing
accounts to obtain certificates, so don't need to create and remember another
username and password combination.  Second, once they have downloaded the
certificate, it will secure connections with all DataONE nodes throughout
the day, and can be used by multiple DataONE applications.  This technique is
known as single-sign-on.qŒh)h∂h*h+h,hVh.}qœ(h0]h1]h2]h3]h5]uh7KLh8hh#]q–hAX†��The use of CILogon has two main advantages for end-users.  First, they can use existing
accounts to obtain certificates, so don't need to create and remember another
username and password combination.  Second, once they have downloaded the
certificate, it will secure connections with all DataONE nodes throughout
the day, and can be used by multiple DataONE applications.  This technique is
known as single-sign-on.q—ÖÅq“}q”(h(hŒh)hÃubaubhS)Åq‘}q’(h(X5��CILogon certificates issued for DataONE also have a third feature: they include
additional DataONE Subjects mapped to the certificate's Subject through DataONE's
identity management service, the DataONE Portal.  In a nutshell, a DataONE identity
is the set of user accounts and groups that a person maintains.q÷h)h∂h*h+h,hVh.}q◊(h0]h1]h2]h3]h5]uh7KSh8hh#]qÿhAX5��CILogon certificates issued for DataONE also have a third feature: they include
additional DataONE Subjects mapped to the certificate's Subject through DataONE's
identity management service, the DataONE Portal.  In a nutshell, a DataONE identity
is the set of user accounts and groups that a person maintains.qŸÖÅq⁄}q€(h(h÷h)h‘ubaubhS)Åq‹}q›(h(X/���For more information on CILogon see their FAQ_.qfih)h∂h*h+h,hVh.}qfl(h0]h1]h2]h3]h5]uh7KXh8hh#]q‡(hAX*���For more information on CILogon see their q·ÖÅq‚}q„(h(X*���For more information on CILogon see their h)h‹ubcdocutils.nodes
reference
q‰)ÅqÂ}qÊ(h(X���FAQ_UresolvedqÁKh)h‹h,U	referenceqËh.}qÈ(UnameX���FAQUrefuriqÍX���http://www.cilogon.org/faqqÎh3]h2]h0]h1]h5]uh#]qÏhAX���FAQqÌÖÅqÓ}qÔ(h(U�h)hÂubaubhAX���.ÖÅq}qÒ(h(X���.h)h‹ubeubhS)ÅqÚ}qÛ(h(X.���The DataONE landing page for CILogon is here_.qÙh)h∂h*h+h,hVh.}qı(h0]h1]h2]h3]h5]uh7KZh8hh#]qˆ(hAX(���The DataONE landing page for CILogon is q˜ÖÅq¯}q˘(h(X(���The DataONE landing page for CILogon is h)hÚubh‰)Åq˙}q˚(h(X���here_hÁKh)hÚh,hËh.}q¸(UnameX���hereq˝hÍX!���https://cilogon.org/?skin=DataONEq˛h3]h2]h0]h1]h5]uh#]qˇhAX���herer���ÖÅr��}r��(h(U�h)h˙ubaubhAX���.ÖÅr��}r��(h(X���.h)hÚubeubcdocutils.nodes
target
r��)År��}r��(h(X#���.. _FAQ: http://www.cilogon.org/faqU
referencedr��Kh)h∂h*h+h,Utargetr	��h.}r
��(hÍhÎh3]r��hah2]h0]h1]h5]r��h	auh7K\h8hh#]ubj��)År
��}r��(h(X+���.. _here: https://cilogon.org/?skin=DataONEj��Kh)h∂h*h+h,j	��h.}r��(hÍh˛h3]r��hah2]h0]h1]h5]r��hauh7K]h8hh#]ubeubh%)År��}r��(h(U�h)h&h*h+h,h-h.}r��(h0]h1]h2]h3]r��h!ah5]r��hauh7Kah8hh#]r��(h:)År��}r��(h(X���Member Node Certificatesr��h)j��h*h+h,h>h.}r��(h0]h1]h2]h3]h5]uh7Kah8hh#]r��hAX���Member Node Certificatesr��ÖÅr��}r��(h(j��h)j��ubaubhS)År ��}r!��(h(X°��Member Nodes cannot not use CILogon certificates to make calls to other DataONE
nodes (as they are short-lived), but rather they use long-lived X.509 certificates
issued by DataONE when they register their node with the DataONE network. Note
that this DataONE-signed certificate is only used for initiating requests, and
is not used when responding to requests.  In other words, it is used only when
the Member Node is as acting as a client making requests.  In this situation, the
connection manager it uses for the request will receive a commercially-signed
certificate from the other DataONE Node during the request handshake, and so no
special trust needs to be set up.r"��h)j��h*h+h,hVh.}r#��(h0]h1]h2]h3]h5]uh7Kbh8hh#]r$��hAX°��Member Nodes cannot not use CILogon certificates to make calls to other DataONE
nodes (as they are short-lived), but rather they use long-lived X.509 certificates
issued by DataONE when they register their node with the DataONE network. Note
that this DataONE-signed certificate is only used for initiating requests, and
is not used when responding to requests.  In other words, it is used only when
the Member Node is as acting as a client making requests.  In this situation, the
connection manager it uses for the request will receive a commercially-signed
certificate from the other DataONE Node during the request handshake, and so no
special trust needs to be set up.r%��ÖÅr&��}r'��(h(j"��h)j ��ubaubhS)År(��}r)��(h(Xfl���Note that the behavior of the "other DataONE Node" from above is the same behavior
the Member Node needs when responding to DataONE service API requests.  This
certificate is known as the Member Node's *server* certificate.h)j��h*h+h,hVh.}r*��(h0]h1]h2]h3]h5]uh7Klh8hh#]r+��(hAX ���Note that the behavior of the "other DataONE Node" from above is the same behavior
the Member Node needs when responding to DataONE service API requests.  This
certificate is known as the Member Node's r,��ÖÅr-��}r.��(h(X ���Note that the behavior of the "other DataONE Node" from above is the same behavior
the Member Node needs when responding to DataONE service API requests.  This
certificate is known as the Member Node's h)j(��ubh\)År/��}r0��(h(X���*server*h.}r1��(h0]h1]h2]h3]h5]uh)j(��h#]r2��hAX���serverr3��ÖÅr4��}r5��(h(U�h)j/��ubah,hdubhAX
��� certificate.r6��ÖÅr7��}r8��(h(X
��� certificate.h)j(��ubeubhS)År9��}r:��(h(X¥��In short, Member Nodes (and Coordinating Nodes) acts both as a client and as a
server.  In its client role, the Member Node uses its DataONE issued and signed
certificate, and needs to trust only commercially signed certificates.  In its
server role, it needs to accept CILogon-issued-commercially-signed certificates
as well as DataONE signed certificates from requesters, and respond with a
commercially-signed certificate of its own.r;��h)j��h*h+h,hVh.}r<��(h0]h1]h2]h3]h5]uh7Kph8hh#]r=��hAX¥��In short, Member Nodes (and Coordinating Nodes) acts both as a client and as a
server.  In its client role, the Member Node uses its DataONE issued and signed
certificate, and needs to trust only commercially signed certificates.  In its
server role, it needs to accept CILogon-issued-commercially-signed certificates
as well as DataONE signed certificates from requesters, and respond with a
commercially-signed certificate of its own.r>��ÖÅr?��}r@��(h(j;��h)j9��ubaubeubh%)ÅrA��}rB��(h(U�h)h&h*h+h,h-h.}rC��(h0]h1]h2]h3]rD��hah5]rE��h
auh7Kyh8hh#]rF��(h:)ÅrG��}rH��(h(X���Trust RelationshipsrI��h)jA��h*h+h,h>h.}rJ��(h0]h1]h2]h3]h5]uh7Kyh8hh#]rK��hAX���Trust RelationshipsrL��ÖÅrM��}rN��(h(jI��h)jG��ubaubhS)ÅrO��}rP��(h(X?���Below illustrates the  certificates used for making requests...rQ��h)jA��h*h+h,hVh.}rR��(h0]h1]h2]h3]h5]uh7K{h8hh#]rS��hAX?���Below illustrates the  certificates used for making requests...rT��ÖÅrU��}rV��(h(jQ��h)jO��ubaubcdocutils.nodes
table
rW��)ÅrX��}rY��(h(U�h)jA��h*h+h,UtablerZ��h.}r[��(h0]h1]h2]h3]h5]uh7Nh8hh#]r\��cdocutils.nodes
tgroup
r]��)År^��}r_��(h(U�h.}r`��(h3]h2]h0]h1]h5]UcolsKuh)jX��h#]ra��(cdocutils.nodes
colspec
rb��)Årc��}rd��(h(U�h.}re��(h3]h2]h0]h1]h5]UcolwidthKuh)j^��h#]h,Ucolspecrf��ubjb��)Årg��}rh��(h(U�h.}ri��(h3]h2]h0]h1]h5]UcolwidthKuh)j^��h#]h,jf��ubjb��)Årj��}rk��(h(U�h.}rl��(h3]h2]h0]h1]h5]UcolwidthKuh)j^��h#]h,jf��ubcdocutils.nodes
thead
rm��)Årn��}ro��(h(U�h.}rp��(h0]h1]h2]h3]h5]uh)j^��h#]rq��cdocutils.nodes
row
rr��)Års��}rt��(h(U�h.}ru��(h0]h1]h2]h3]h5]uh)jn��h#]rv��(cdocutils.nodes
entry
rw��)Årx��}ry��(h(U�h.}rz��(h0]h1]h2]h3]h5]uh)js��h#]r{��hS)År|��}r}��(h(X���Client / Requesterr~��h)jx��h*h+h,hVh.}r��(h0]h1]h2]h3]h5]uh7Kh#]rÄ��hAX���Client / RequesterrÅ��ÖÅrÇ��}rÉ��(h(j~��h)j|��ubaubah,UentryrÑ��ubjw��)ÅrÖ��}rÜ��(h(U�h.}rá��(h0]h1]h2]h3]h5]uh)js��h#]rà��hS)Årâ��}rä��(h(X���requests usingrã��h)jÖ��h*h+h,hVh.}rå��(h0]h1]h2]h3]h5]uh7Kh#]rç��hAX���requests usingré��ÖÅrè��}rê��(h(jã��h)jâ��ubaubah,jÑ��ubjw��)Årë��}rí��(h(U�h.}rì��(h0]h1]h2]h3]h5]uh)js��h#]rî��hS)Årï��}rñ��(h(X���request cert. typeró��h)jë��h*h+h,hVh.}rò��(h0]h1]h2]h3]h5]uh7Kh#]rô��hAX���request cert. typerö��ÖÅrõ��}rú��(h(jó��h)jï��ubaubah,jÑ��ubeh,Urowrù��ubah,Utheadrû��ubcdocutils.nodes
tbody
rü��)År†��}r°��(h(U�h.}r¢��(h0]h1]h2]h3]h5]uh)j^��h#]r£��(jr��)År§��}r•��(h(U�h.}r¶��(h0]h1]h2]h3]h5]uh)j†��h#]rß��(jw��)År®��}r©��(h(U�h.}r™��(h0]h1]h2]h3]h5]uh)j§��h#]r´��hS)År¨��}r≠��(h(X���End-userrÆ��h)j®��h*h+h,hVh.}rØ��(h0]h1]h2]h3]h5]uh7KÅh#]r∞��hAX���End-userr±��ÖÅr≤��}r≥��(h(jÆ��h)j¨��ubaubah,jÑ��ubjw��)År¥��}rµ��(h(U�h.}r∂��(h0]h1]h2]h3]h5]uh)j§��h#]r∑��hS)År∏��}rπ��(h(X���CILogon-signed cert.r∫��h)j¥��h*h+h,hVh.}rª��(h0]h1]h2]h3]h5]uh7KÅh#]rº��hAX���CILogon-signed cert.rΩ��ÖÅræ��}rø��(h(j∫��h)j∏��ubaubah,jÑ��ubjw��)År¿��}r¡��(h(U�h.}r¬��(h0]h1]h2]h3]h5]uh)j§��h#]r√��hS)Årƒ��}r≈��(h(X���short-lived, commercialr∆��h)j¿��h*h+h,hVh.}r«��(h0]h1]h2]h3]h5]uh7KÅh#]r»��hAX���short-lived, commercialr…��ÖÅr ��}rÀ��(h(j∆��h)jƒ��ubaubah,jÑ��ubeh,jù��ubjr��)ÅrÃ��}rÕ��(h(U�h.}rŒ��(h0]h1]h2]h3]h5]uh)j†��h#]rœ��(jw��)År–��}r—��(h(U�h.}r“��(h0]h1]h2]h3]h5]uh)jÃ��h#]r”��hS)År‘��}r’��(h(X���Coordinating Noder÷��h)j–��h*h+h,hVh.}r◊��(h0]h1]h2]h3]h5]uh7KÉh#]rÿ��hAX���Coordinating NoderŸ��ÖÅr⁄��}r€��(h(j÷��h)j‘��ubaubah,jÑ��ubjw��)År‹��}r›��(h(U�h.}rfi��(h0]h1]h2]h3]h5]uh)jÃ��h#]rfl��hS)År‡��}r·��(h(X���DataONE-signed cert.r‚��h)j‹��h*h+h,hVh.}r„��(h0]h1]h2]h3]h5]uh7KÉh#]r‰��hAX���DataONE-signed cert.rÂ��ÖÅrÊ��}rÁ��(h(j‚��h)j‡��ubaubah,jÑ��ubjw��)ÅrË��}rÈ��(h(U�h.}rÍ��(h0]h1]h2]h3]h5]uh)jÃ��h#]rÎ��hS)ÅrÏ��}rÌ��(h(X���long-lived, non-commercialrÓ��h)jË��h*h+h,hVh.}rÔ��(h0]h1]h2]h3]h5]uh7KÉh#]r��hAX���long-lived, non-commercialrÒ��ÖÅrÚ��}rÛ��(h(jÓ��h)jÏ��ubaubah,jÑ��ubeh,jù��ubjr��)ÅrÙ��}rı��(h(U�h.}rˆ��(h0]h1]h2]h3]h5]uh)j†��h#]r˜��(jw��)År¯��}r˘��(h(U�h.}r˙��(h0]h1]h2]h3]h5]uh)jÙ��h#]r˚��hS)År¸��}r˝��(h(X���Member Noder˛��h)j¯��h*h+h,hVh.}rˇ��(h0]h1]h2]h3]h5]uh7KÖh#]r���hAX���Member Noder��ÖÅr��}r��(h(j˛��h)j¸��ubaubah,jÑ��ubjw��)År��}r��(h(U�h.}r��(h0]h1]h2]h3]h5]uh)jÙ��h#]r��hS)År��}r	��(h(X���DataONE-signed cert.r
��h)j��h*h+h,hVh.}r��(h0]h1]h2]h3]h5]uh7KÖh#]r��hAX���DataONE-signed cert.r
��ÖÅr��}r��(h(j
��h)j��ubaubah,jÑ��ubjw��)År��}r��(h(U�h.}r��(h0]h1]h2]h3]h5]uh)jÙ��h#]r��hS)År��}r��(h(X���long-lived, non-commercialr��h)j��h*h+h,hVh.}r��(h0]h1]h2]h3]h5]uh7KÖh#]r��hAX���long-lived, non-commercialr��ÖÅr��}r��(h(j��h)j��ubaubah,jÑ��ubeh,jù��ubeh,Utbodyr��ubeh,Utgroupr��ubaubhS)År��}r��(h(X+���... and the certificates given in response.r ��h)jA��h*h+h,hVh.}r!��(h0]h1]h2]h3]h5]uh7Kàh8hh#]r"��hAX+���... and the certificates given in response.r#��ÖÅr$��}r%��(h(j ��h)j��ubaubjW��)År&��}r'��(h(U�h)jA��h*h+h,jZ��h.}r(��(h0]h1]h2]h3]h5]uh7Nh8hh#]r)��j]��)År*��}r+��(h(U�h.}r,��(h3]h2]h0]h1]h5]UcolsKuh)j&��h#]r-��(jb��)År.��}r/��(h(U�h.}r0��(h3]h2]h0]h1]h5]UcolwidthKuh)j*��h#]h,jf��ubjb��)År1��}r2��(h(U�h.}r3��(h3]h2]h0]h1]h5]UcolwidthKuh)j*��h#]h,jf��ubjm��)År4��}r5��(h(U�h.}r6��(h0]h1]h2]h3]h5]uh)j*��h#]r7��jr��)År8��}r9��(h(U�h.}r:��(h0]h1]h2]h3]h5]uh)j4��h#]r;��(jw��)År<��}r=��(h(U�h.}r>��(h0]h1]h2]h3]h5]uh)j8��h#]r?��hS)År@��}rA��(h(X���ServerrB��h)j<��h*h+h,hVh.}rC��(h0]h1]h2]h3]h5]uh7Kãh#]rD��hAX���ServerrE��ÖÅrF��}rG��(h(jB��h)j@��ubaubah,jÑ��ubjw��)ÅrH��}rI��(h(U�h.}rJ��(h0]h1]h2]h3]h5]uh)j8��h#]rK��hS)ÅrL��}rM��(h(X
���responds withrN��h)jH��h*h+h,hVh.}rO��(h0]h1]h2]h3]h5]uh7Kãh#]rP��hAX
���responds withrQ��ÖÅrR��}rS��(h(jN��h)jL��ubaubah,jÑ��ubeh,jù��ubah,jû��ubjü��)ÅrT��}rU��(h(U�h.}rV��(h0]h1]h2]h3]h5]uh)j*��h#]rW��(jr��)ÅrX��}rY��(h(U�h.}rZ��(h0]h1]h2]h3]h5]uh)jT��h#]r[��(jw��)År\��}r]��(h(U�h.}r^��(h0]h1]h2]h3]h5]uh)jX��h#]r_��hS)År`��}ra��(h(X���Coordinating Noderb��h)j\��h*h+h,hVh.}rc��(h0]h1]h2]h3]h5]uh7Kçh#]rd��hAX���Coordinating Nodere��ÖÅrf��}rg��(h(jb��h)j`��ubaubah,jÑ��ubjw��)Årh��}ri��(h(U�h.}rj��(h0]h1]h2]h3]h5]uh)jX��h#]rk��hS)Årl��}rm��(h(X���commercially-signed certrn��h)jh��h*h+h,hVh.}ro��(h0]h1]h2]h3]h5]uh7Kçh#]rp��hAX���commercially-signed certrq��ÖÅrr��}rs��(h(jn��h)jl��ubaubah,jÑ��ubeh,jù��ubjr��)Årt��}ru��(h(U�h.}rv��(h0]h1]h2]h3]h5]uh)jT��h#]rw��(jw��)Årx��}ry��(h(U�h.}rz��(h0]h1]h2]h3]h5]uh)jt��h#]r{��hS)År|��}r}��(h(X���Member Noder~��h)jx��h*h+h,hVh.}r��(h0]h1]h2]h3]h5]uh7Kèh#]rÄ��hAX���Member NoderÅ��ÖÅrÇ��}rÉ��(h(j~��h)j|��ubaubah,jÑ��ubjw��)ÅrÑ��}rÖ��(h(U�h.}rÜ��(h0]h1]h2]h3]h5]uh)jt��h#]rá��hS)Årà��}râ��(h(X���commercially-signed certrä��h)jÑ��h*h+h,hVh.}rã��(h0]h1]h2]h3]h5]uh7Kèh#]rå��hAX���commercially-signed certrç��ÖÅré��}rè��(h(jä��h)jà��ubaubah,jÑ��ubeh,jù��ubeh,j��ubeh,j��ubaubeubh%)Årê��}rë��(h(U�h)h&h*h+h,h-h.}rí��(h0]h1]h2]h3]rì��h ah5]rî��h
auh7Kîh8hh#]rï��(h:)Årñ��}ró��(h(X*���Regarding Commercially-Signed Certificatesrò��h)jê��h*h+h,h>h.}rô��(h0]h1]h2]h3]h5]uh7Kîh8hh#]rö��hAX*���Regarding Commercially-Signed Certificatesrõ��ÖÅrú��}rù��(h(jò��h)jñ��ubaubhS)Årû��}rü��(h(Xƒ��Client applications use client connection managers to set up the SSL connection
that will exchange certificates, and most connection managers come configured
with mostly the same set of CAs that they trust.  However, the overlap is not
complete, so Member Nodes should take extra care to test that their server
certificate is widely trusted by all major browsers, (Java) JVMs, and
OS-specific trust-stores, so that their data is most widely accessible.r†��h)jê��h*h+h,hVh.}r°��(h0]h1]h2]h3]h5]uh7Kïh8hh#]r¢��hAXƒ��Client applications use client connection managers to set up the SSL connection
that will exchange certificates, and most connection managers come configured
with mostly the same set of CAs that they trust.  However, the overlap is not
complete, so Member Nodes should take extra care to test that their server
certificate is widely trusted by all major browsers, (Java) JVMs, and
OS-specific trust-stores, so that their data is most widely accessible.r£��ÖÅr§��}r•��(h(j†��h)jû��ubaubeubeubah(U�Utransformerr¶��NU
footnote_refsrß��}r®��Urefnamesr©��}r™��(X���faq]r´��hÂah˝]r¨��h˙auUsymbol_footnotesr≠��]rÆ��Uautofootnote_refsrØ��]r∞��Usymbol_footnote_refsr±��]r≤��U	citationsr≥��]r¥��h8hUcurrent_linerµ��NUtransform_messagesr∂��]r∑��Ureporterr∏��NUid_startrπ��KU
autofootnotesr∫��]rª��U
citation_refsrº��}rΩ��Uindirect_targetsræ��]rø��Usettingsr¿��(cdocutils.frontend
Values
r¡��or¬��}r√��(Ufootnote_backlinksrƒ��KUrecord_dependenciesr≈��NUrfc_base_urlr∆��Uhttps://tools.ietf.org/html/r«��U	tracebackr»��àUpep_referencesr…��NUstrip_commentsr ��NU
toc_backlinksrÀ��jÑ��U
language_coderÃ��UenrÕ��U	datestamprŒ��NUreport_levelrœ��KU_destinationr–��NU
halt_levelr—��KU
strip_classesr“��Nh>NUerror_encoding_error_handlerr”��Ubackslashreplacer‘��Udebugr’��NUembed_stylesheetr÷��âUoutput_encoding_error_handlerr◊��Ustrictrÿ��U
sectnum_xformrŸ��KUdump_transformsr⁄��NU
docinfo_xformr€��KUwarning_streamr‹��NUpep_file_url_templater›��Upep-%04drfi��Uexit_status_levelrfl��KUconfigr‡��NUstrict_visitorr·��NUcloak_email_addressesr‚��àUtrim_footnote_reference_spacer„��âUenvr‰��NUdump_pseudo_xmlrÂ��NUexpose_internalsrÊ��NUsectsubtitle_xformrÁ��âUsource_linkrË��NUrfc_referencesrÈ��NUoutput_encodingrÍ��Uutf-8rÎ��U
source_urlrÏ��NUinput_encodingrÌ��U	utf-8-sigrÓ��U_disable_configrÔ��NU	id_prefixr��U�U	tab_widthrÒ��KUerror_encodingrÚ��UUTF-8rÛ��U_sourcerÙ��h+Ugettext_compactrı��àU	generatorrˆ��NUdump_internalsr˜��NUsmart_quotesr¯��âUpep_base_urlr˘��U https://www.python.org/dev/peps/r˙��Usyntax_highlightr˚��Ulongr¸��Uinput_encoding_error_handlerr˝��jÿ��Uauto_id_prefixr˛��Uidrˇ��Udoctitle_xformr���âUstrip_elements_with_classesr��NU
_config_filesr��]Ufile_insertion_enabledr��àUraw_enabledr��KU
dump_settingsr��NubUsymbol_footnote_startr��K�Uidsr��}r��(hjA��hhÇhj��hh&hj
��hh†h jê��h!j��h"h∂hhEuUsubstitution_namesr	��}r
��h,h8h.}r��(h0]h3]h2]Usourceh+h1]h5]uU	footnotesr��]r
��Urefidsr��}r��ub.