[Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies

Wed Apr 8 08:55:36 CDT 2009

Hi Duane,

>-Morris: What is the chance that this VOMS 2.0 get a huge deployment in
EGEE then?!

It doesn't need a huge deployment.  Even a single deployment at the grid
boundary will work to our ends.

I don’t think so for production interop – maybe for typical OGF interop
fests. But not for production applications, which are planned between DEISA
and EGEE for a few use cases

I guess one VOMS is deployed for each VO or has this changed? 

So it depends with the VO you are working with, e.g. FUSION interop
application and their deployed VOMS service in EGEE for instance will matter
for DEISA
 (EUFORIA work I’m involved)

The difference to OGF interop tests is that we would like to use the interop
in production – which is different than deploying somewhere a VOMS for
special needs. However, it might be the only solution if PGI is not coming
up with agreements
 :-)

Take care,

Morris

------------------------------------------------------------

Morris Riedel

SW - Engineer

Distributed Systems and Grid Computing Division

Jülich Supercomputing Centre (JSC)

Forschungszentrum Juelich

Wilhelm-Johnen-Str. 1

D - 52425 Juelich

Germany

Email: m.riedel at fz-juelich.de

Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel

Phone: +49 2461 61 - 3651

Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich

Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498

Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe

Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 

Dr. Ulrich Krafft (stellv. Vorsitzender)

From: Duane Merrill [mailto:dgm4d at virginia.edu] 
Sent: Wednesday, April 08, 2009 3:42 PM
To: Morris Riedel
Cc: Vincenzo Ciaschini; Etienne URBAH; aleksandr.konstantinov at fys.uio.no;
pgi-wg at ogf.org; edges-na3 at mail.edges-grid.eu; lodygens at lal.in2p3.fr
Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI
acceptRFC-3820-compliant X509 proxies

Steven: Surely its better to focus our energies on defining a profile around
the new style proxies that groups intend to support going forward?

This seems most prudent.  We don't need to bend the PGI profile(s) such that
every existing endpoint can be labeled "compliant".  Compliant service
endpoints can be rolled out incrementally as subject to
implementation/budget/etc. constraints.

Morris: What is the chance that this VOMS 2.0 get a huge deployment in EGEE
then?!

It doesn't need a huge deployment.  Even a single deployment at the grid
boundary will work to our ends.

-Duane

2009/4/8 Morris Riedel <m.riedel at fz-juelich.de>

Hi,

 very valuable information - probably another reason for sticking to GSI
unfortunately in the production space...

>- VOMS 2.0 is due to be out during autumn this year.

What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!

Thanks,
Morris

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender)

>------Original Message-----
>-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf Of
>-Vincenzo Ciaschini
>-Sent: Wednesday, April 08, 2009 12:07 PM
>-To: Etienne URBAH
>-Cc: aleksandr.konstantinov at fys.uio.no; edges-na3 at mail.edges-grid.eu;
>-lodygens at lal.in2p3.fr; pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI
acceptRFC-
>-3820-compliant X509 proxies
>-
>-Hi Etienne,

>-Etienne URBAH wrote:
>-> Still to be verified is that VOMS servers only accept GSI-style X509
>-> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1
>-VOMS accepts and generates both type of proxies.  However, there is a
>-caveat, which explains the failures you get:
>-
>-Pre VOMS 2.0:
>-Server-side, VOMS uses GSI for validation.  This means that if you run
>-voms against gt2, contacting it with a gt4 proxy will fail.
>-
>-There is a final argument in the vomses file which specifies which
>-version of GT the service uses, and adapts the proxies used to contact
>-it accordingly.  Many VOs distribute an incorrect vomses file.
>-
>-The final proxy obtained as output by voms-proxy-init will always be
>-what you requested, in this case a rfc proxy.
>-
>-VOMS 2.0 onwards:
>-Globus dependencies on the server will be dropped too (They are
>-corrently removed from both the clients and the APIs).  This will mean
>-that any kind of proxy, or even a bare certificate, will become
>-acceptable for contacting the service.  The whole vomses config business
>-above will no longer be relevant.
>-
>-VOMS 2.0 is due to be out during autumn this year.
>-
>-Ciao,
>-    Vincenzo

>-_______________________________________________
>-Pgi-wg mailing list
>-Pgi-wg at ogf.org
>-http://www.ogf.org/mailman/listinfo/pgi-wg

_______________________________________________
Pgi-wg mailing list
Pgi-wg at ogf.org
http://www.ogf.org/mailman/listinfo/pgi-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090408/0b6cde4c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090408/0b6cde4c/attachment-0001.bin 