[ogsa-hpcp-wg] HPCBP Extensions Short-list

Ian Foster foster at mcs.anl.gov
Fri Dec 14 12:11:14 CST 2007 

The work that I was thinking of is this:

1) PKINIT, for mapping from X.509 credentials to Kerberos credentials.

See: http://www.globus.org/grid_software/security/pkinit.php

The link there needs to be updated, I believe it should be to:
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/PKINIT.html

2) KX509 and KCA, for mapping from Kerberos credentials to X.509 
credentials. (Basically a lightweight certificate authority.)

See http://www.globus.org/grid_software/security/kx509-and-kca.php.

Ian.

Blair Dillaway wrote:
> Ian, Donal,
> 
> There are different ways of handling this depending on the OS you run. In Windows you can set up X.509 certificate mapping rules to AD accounts, either using IIS mechanisms for a particular web service or AD for domain-wide rules. Unix privileged processes can do similar mapping. There is, naturally, some admin pain in that one needs to pre-define these mapping rules.
> 
> Based on prior conversations, it is my understanding that this is not the motivating scenario behind the proposed HPCP extension (We do need to write up the use case(s) before drafting the profile). If users already have X.509 credentials used to authenticate to BES services, then the existing HPCP security profile is adequate to support X.509-based mutual authentication. Hints that a BES, or compute cluster, should map to an account to execute the job or perform data staging would most naturally fit under the Activity Credential proposal.
> 
> What is missing is an interop profile for how users and the BES will authenticate, and provide message integrity and confidentiality, when there is an existing Kerberos infrastructure but no deployed X.509 infrastructure. This is reasonably common for environments matching the base use case documented by the HPCP WG.
> 
> Regards,
> Blair
> 
> 
> 
>> -----Original Message-----
>> From: ogsa-hpcp-wg-bounces at ogf.org [mailto:ogsa-hpcp-wg-
>> bounces at ogf.org] On Behalf Of Donal K. Fellows
>> Sent: Friday, December 14, 2007 3:35 AM
>> To: Ian Foster
>> Cc: ogsa-hpcp-wg at ogf.org
>> Subject: Re: [ogsa-hpcp-wg] HPCBP Extensions Short-list
>>
>> Ian Foster wrote:
>>> Donal K. Fellows wrote:
>>>> We (well, actually one of my colleagues who handles interfacing with
>> our
>>>> astrophysics and astronomy users) want it for AFS access so that we
>> can
>>>> access users' home directories. I'm less keen on having to require
>> them
>>>> to use Kerberos to authenticate to the BES instance in that case
>> though,
>>>> mostly because our IT department only tolerates Kerberos to support
>> AFS.
>>> I realize this isn't an OGF issue, but is the solution here to map
>> from
>>> X.509 to Kerberos credentials, as we do in various Globus deployments
>>> for example?
>> I've no idea really; it's not my own area to be honest. Is there a
>> written up way to do this somewhere that I can point my colleague at?
>>
>> Donal.
>> --
>>   ogsa-hpcp-wg mailing list
>>   ogsa-hpcp-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/ogsa-hpcp-wg
>

More information about the ogsa-hpcp-wg mailing list