AuthN CA middleware support [Fwd: [caops-wg] Draft Agenda]

Jensen, J (Jens) J.Jensen at rl.ac.uk
Thu May 11 09:24:57 CDT 2006 

David O'Callaghan wrote on 11 May 2006 14:42:
>
> Hi Jens et al.,

Hi David,

>
> On 11.05.06 12:53, Jensen, J (Jens) wrote:
>> Regardless of whether "we" build a validation authority or
>> add to the middleware validation, someone still needs to
>> build the validation code, and the language to specify what
>> you want.  The language should allow for checking not just
>> policy oid but also key size and individual extensions,
>> etc, IMHO.  And be simple enough that anyone can implement
>> an acceptance policy - no XML, no binary encodings.
>
> I've been working on something like this and I hope to have the 
> opportunity to describe it at the next EU Grid PMA meeting. The 
> acceptance policy uses a Scheme-style S-Expression format, which 
> admittedly has a lot in common with XML.

Interesting.  Do you have an implementation, or is it design at this
stage?  It ought to be possible to glue guile and OpenSSL together
to evaluate it.

Personally, I'd much much rather write an S-expression than write
an XACML-style policy document by hand... but then I am fluent in
lisp so YMMV.

I think we need an IGTF working group on this.  We need to get
requirements from the RPs as well.  At the TAGPMA meeting,
David G said he'd set up a policy WG, with expressions of interest
received from Tony and Scott, and *cough* myself.

>
>> And as I mentioned earlier, if we add it to the middleware,
>> it is best to go as far upstream as possible - OpenSSL
>> ideally, or Globus.  Document may need tweaking depending
>> on where we go.
>
> It will also need to work with other libraries, such as Bouncy Castle 
> which is used for Java-based software (e.g. in gLite).

Definitely.  But if OpenSSL has it, others are more likely to follow,
I hope.  If we need things changed, the further upstream it is
changed, the wider the effect will be, but there is no single source.
As long as it's compatible with other libraries in the interim.
Didn't EGEE contribute Globus proxy validation code to OpenSSL?

Cheers,
--jens

More information about the caops-wg mailing list