[Pgi-wg] OGF PGI - Security - Interoperability in progressbetweenEGEE and OSG (using COPS)

Fri Apr 3 08:59:04 CDT 2009

Thanks for the very valuable input David!

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)

>------Original Message-----
>-From: David Groep [mailto:davidg at nikhef.nl]
>-Sent: Friday, April 03, 2009 3:56 PM
>-To: Morris Riedel
>-Cc: 'Steven Newhouse'; 'Etienne Urbah'; pgi-wg at ogf.org;
edges-na3 at mail.edges-
>-grid.eu; lodygens at lal.in2p3.fr
>-Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in
progressbetweenEGEE
>-and OSG (using COPS)
>-
>-Dear all,
>-
>-As the presented of the authz-interop.org work, I can just confirm
>-that both Steven and Morris are absolutely correct.
>-
>-For the techies on the list: the authz-interop work addresses the
>-exchange of attributes and obligations between a policy enforcement
>-point and a decision point, and the communications protocol to exchange
>-these (essentially a profile of XACML2 over SAML2). It does NOT
>-address the 'external' interface for any service.
>-
>-	Best,
>-	David "sorry, no simple solutions available yet" G.
>-
>-Morris Riedel wrote:
>-> Exactly - from my understanding its on a different level!
>->
>-> ------------------------------------------------------------
>-> Morris Riedel
>-> SW - Engineer
>-> Distributed Systems and Grid Computing Division
>->
>->
>->> ------Original Message-----
>->> -From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
Of
>->> -Steven Newhouse
>->> -Sent: Friday, April 03, 2009 3:48 PM
>->> -To: Etienne Urbah; pgi-wg at ogf.org
>->> -Cc: edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
>->> -Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in
>-> progressbetween
>->> -EGEE and OSG (using COPS)
>->> -
>->> -It is my understanding that this work addresses a very different use
case
>-> than we
>->> -have been discussing within PGI. Its a deployment that is encapsulated
>-> within the
>->> -service infrastructure (generally within a single site) to support
>-> authorization
>->> -decisions. Not the user/role driven authentication tokens that we have
>-> been
>->> -discussing within PGI - our primary use case.
>->> -
>->> -Steven
>->> -
>->> -Dr Steven Newhouse
>->> -EGEE Technical Director
>->> -http://cern.ch/Steven.Newhouse
>->> -
>->> -
>->> -> -----Original Message-----
>->> -> From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On
Behalf
>->> -> Of Etienne URBAH
>->> -> Sent: 03 April 2009 15:38
>->> -> To: pgi-wg at ogf.org
>->> -> Cc: edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
>->> -> Subject: [Pgi-wg] OGF PGI - Security - Interoperability in progress
>->> -> between EGEE and OSG (using COPS)
>->> ->
>->> -> To All,
>->> ->
>->> ->
>->> -> My previous today's mail shows that the security work of PGI is now
>->> -> stuck into irreconcilable incompatibility between :
>->> -> -  RFC-3820-compliant X509 certificates and proxies on one part,
>->> -> -  GSI-style X509 proxies (which can be delegated) on the other
part.
>->> ->
>->> ->
>->> -> But there is some hope :  At the last MWSG meeting in Zürich, David
>->> -> GROEP has performed a presentation 'AuthZ Interop report' available
at
>->> ->
http://indico.cern.ch/materialDisplay.py?contribId=22&sessionId=3&mater
>->> -> ialId=slides&confId=52862
>->> ->
>->> -> This presentation describes current work in good progress begun in
2007
>->> -> on security interoperability between OSG and EGEE, with the help of
>->> -> Globus and Condor teams.
>->> ->
>->> -> This work uses the Common Open Policy Service (COPS) model defined
in
>->> -> RFC 2748 at http://tools.ietf.org/html/rfc2748
>->> ->
>->> -> COPS defines at least following 2 concepts :
>->> -> -  PDP = Policy Decision Point
>->> -> -  PEP = Policy Enforcement Point
>->> ->
>->> -> Interoperability is achieved through an AuthZ Interop Profile, based
on
>->> -> the SAML v2 profile of XACML v2.
>->> ->
>->> -> There are production deployments in OSG and EGEE.
>->> ->
>->> ->
>->> -> So I suggest that, before reinventing the wheel, we study in detail
the
>->> -> above mentioned document, in order to quickly know :
>->> -> -  The problems which they are encountering,
>->> -> -  The solutions which they are founding,
>->> -> -  The interoperable components which they are deploying and which
we
>->> -> could reuse,
>->> -> -  ...
>->> ->
>->> ->
>->> -> Best regards.
>->> ->
>->> -> ----------------------------------
>->> -> Etienne URBAH          IN2P3 - LAL
>-
>-
>---
>-David Groep
>-
>-** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group
**
>-** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL
>-**

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090403/b44bcc85/attachment.bin 