[Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies

Wed Apr 8 05:27:47 CDT 2009

Hi,

 very valuable information - probably another reason for sticking to GSI
unfortunately in the production space...

>- VOMS 2.0 is due to be out during autumn this year.

What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!

Thanks, 
Morris

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)

>------Original Message-----
>-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf Of
>-Vincenzo Ciaschini
>-Sent: Wednesday, April 08, 2009 12:07 PM
>-To: Etienne URBAH
>-Cc: aleksandr.konstantinov at fys.uio.no; edges-na3 at mail.edges-grid.eu;
>-lodygens at lal.in2p3.fr; pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI
acceptRFC-
>-3820-compliant X509 proxies
>-
>-Hi Etienne,
>-Etienne URBAH wrote:
>-> Still to be verified is that VOMS servers only accept GSI-style X509
>-> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1
>-VOMS accepts and generates both type of proxies.  However, there is a
>-caveat, which explains the failures you get:
>-
>-Pre VOMS 2.0:
>-Server-side, VOMS uses GSI for validation.  This means that if you run
>-voms against gt2, contacting it with a gt4 proxy will fail.
>-
>-There is a final argument in the vomses file which specifies which
>-version of GT the service uses, and adapts the proxies used to contact
>-it accordingly.  Many VOs distribute an incorrect vomses file.
>-
>-The final proxy obtained as output by voms-proxy-init will always be
>-what you requested, in this case a rfc proxy.
>-
>-VOMS 2.0 onwards:
>-Globus dependencies on the server will be dropped too (They are
>-corrently removed from both the clients and the APIs).  This will mean
>-that any kind of proxy, or even a bare certificate, will become
>-acceptable for contacting the service.  The whole vomses config business
>-above will no longer be relevant.
>-
>-VOMS 2.0 is due to be out during autumn this year.
>-
>-Ciao,
>-    Vincenzo
>-_______________________________________________
>-Pgi-wg mailing list
>-Pgi-wg at ogf.org
>-http://www.ogf.org/mailman/listinfo/pgi-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090408/ae89bc16/attachment.bin 