[Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies
Duane Merrill
dgm4d at virginia.edu
Wed Apr 8 08:42:16 CDT 2009
*Steven*: Surely its better to focus our energies on defining a profile
around the new style proxies that groups intend to support going forward?
This seems most prudent. We don't need to bend the PGI profile(s) such that
every existing endpoint can be labeled "compliant". Compliant service
endpoints can be rolled out incrementally as subject to
implementation/budget/etc. constraints.
*Morris: *What is the chance that this VOMS 2.0 get a huge deployment in
EGEE then?!
It doesn't need a huge deployment. Even a single deployment at the grid
boundary will work to our ends.
-Duane
2009/4/8 Morris Riedel <m.riedel at fz-juelich.de>
> Hi,
>
> very valuable information - probably another reason for sticking to GSI
> unfortunately in the production space...
>
> >- VOMS 2.0 is due to be out during autumn this year.
>
> What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!
>
> Thanks,
> Morris
>
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Jülich Supercomputing Centre (JSC)
> Forschungszentrum Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
>
> Email: m.riedel at fz-juelich.de
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
>
> Skype: MorrisRiedel
>
> "We work to better ourselves, and the rest of humanity"
>
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
> >------Original Message-----
> >-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
> Of
> >-Vincenzo Ciaschini
> >-Sent: Wednesday, April 08, 2009 12:07 PM
> >-To: Etienne URBAH
> >-Cc: aleksandr.konstantinov at fys.uio.no; edges-na3 at mail.edges-grid.eu;
> >-lodygens at lal.in2p3.fr; pgi-wg at ogf.org
> >-Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI
> acceptRFC-
> >-3820-compliant X509 proxies
> >-
> >-Hi Etienne,
> >-Etienne URBAH wrote:
> >-> Still to be verified is that VOMS servers only accept GSI-style X509
> >-> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1
> >-VOMS accepts and generates both type of proxies. However, there is a
> >-caveat, which explains the failures you get:
> >-
> >-Pre VOMS 2.0:
> >-Server-side, VOMS uses GSI for validation. This means that if you run
> >-voms against gt2, contacting it with a gt4 proxy will fail.
> >-
> >-There is a final argument in the vomses file which specifies which
> >-version of GT the service uses, and adapts the proxies used to contact
> >-it accordingly. Many VOs distribute an incorrect vomses file.
> >-
> >-The final proxy obtained as output by voms-proxy-init will always be
> >-what you requested, in this case a rfc proxy.
> >-
> >-VOMS 2.0 onwards:
> >-Globus dependencies on the server will be dropped too (They are
> >-corrently removed from both the clients and the APIs). This will mean
> >-that any kind of proxy, or even a bare certificate, will become
> >-acceptable for contacting the service. The whole vomses config business
> >-above will no longer be relevant.
> >-
> >-VOMS 2.0 is due to be out during autumn this year.
> >-
> >-Ciao,
> >- Vincenzo
> >-_______________________________________________
> >-Pgi-wg mailing list
> >-Pgi-wg at ogf.org
> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090408/2c856ff7/attachment.html
More information about the Pgi-wg
mailing list