[ogsa-dmi-wg] Security Architecture

[Steven Newhouse]

Some thoughts on the security architecture for DMI that came to mind in going through the current document.

One option would be to make a clean separation between the access to the DMI service and access to the data itself. Accesing just the service means that we do not need to consider delegation - so we could use the mechanisms established with the HPCP work. These seems to be firming up and have some consensus.

This leaves what to do about the data access... I'd like to suggest that we punt on this slightrly by saying that in establishing the Data EPR we add a requirement for a security token to be placed in the element relevant for that particular data transfer protocol. This removes the user from having to provide tokens during the operation that creates the instance  - NB they will not know what they need to provide as the factory has not decided what protocol to use!

Once the factory has decided on the data transfer services it will use to do the transfer - it can use the security token within the DEPR to initiate the transfer.

Thoughts welcome before this... but perhaps we could go through this on the next call?

Steven