[ogsa-hpcp-wg] SC06 Demo Kickoff

Peter G. Lane lane at mcs.anl.gov
Fri Sep 22 11:21:55 CDT 2006 

Forwarded from private emails...

[From: Marty Humphrey <humphrey at cs.virginia.edu>]
> Toll Free Number:       866-500-6738 
> International:          1-203-480-8000 
> Passcode:               231867 
>  
> 2pm EDT today
> 

[From: David Snelling <David.Snelling at UI.Fujitsu.com>]
> Now to the point: There has been some chat about security among some of us. I will try to summarize what the options are and we can discuss them on a call.
> 
> 1) No security: We use basics http without any protection. This would work fin in a closed setting, but interops work much better when we can test them remotely before hand. Not all of us will be allowed to publish unprotected endpoints.
> 
> FLE View: We can do this, but only with the client also on the phone. Not a preferred option.
> 
> 2) Use Mutually Authenticated HTTPS: This is effectively the "OGSA Basic Security Profile 1.0 - Secure Channel" specification. It assumes that both client and service have the root CA cert of the other's certificate. This is used to set up the SSL connection and the identity extracted from connection and used for authorization and account mapping. I believe this can be made to work with primary certs or with proxy certs.
> 
> FLE View: This is our preferred option (with primary certs, but I think we can make proxies work with some effort).
> 
> 3) WS-Security User Name Profile: As I understand it this encodes a user name (and possibly password) in a SOAP header element. The underlying transport is assumed to be HTTPS, because I don't believe that the message itself is encrypted.
> 
> FLE View: We don't implement this at present and have no plans to do so. User names are not very Grid-like and so not on our roadmap.
> 
> 4) WS-Security X.509 Profile: As I understand it this encodes the user's X.509 certificate in a SOAP header element. As above, the underlying transport is assumed to be HTTPS, and the message is not encrypted, although this is possible within this profile. This actual profile is very complicated and we would need to define very carefully which parts of it's many optional bits we use.
> 
> FLE View: We don't implement this at present, but would be willing to do so. However, this would put our participation at risk depending on how complicated a profile the group chooses and how soon we decide.
> 
> I look forward to a call.
> -- 
> Take care:
> 
>     Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
>     Fujitsu Laboratories of Europe
>     Hayes Park Central
>     Hayes End Road
>     Hayes, Middlesex  UB4 8FE
> 
>     +44-208-606-4649 (Office)
>     +44-208-606-4539 (Fax)
>     +44-7768-807526  (Mobile)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3804 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/ogsa-hpcp-wg/attachments/20060922/06c709f0/attachment.bin

More information about the ogsa-hpcp-wg mailing list