[Pgi-wg] Sec: Agreement on SOAP and authentication

Thu Mar 19 08:01:40 CDT 2009

Hi security folks,

  reading certain elements of the IIRM, strawman, and following discussions
on the list - I see there is still no common agreement on SOAP / HTTP(S) in
some areas.

### Goal:

(a)
We are discussing if SOAP / HTTPS can be used in PGI to contact a functional
interface (like BES)...

(b)
...because we want to find out if there is any important service in the PGI
context that is not capable of using SOAP (over SSL layer)...

(c)
... in order to find out if we can agree on SOAP/HTTPS or to understand
requirements from other non WS-based interfaces in PGI.

Therefore the aim of this thread is to get to an agreement in this context,
while considering Attribute authorities like VOMS as a supportive service
and not an functional interface (also separate thread).

### Contacting functional implementations with SOAP

If we consider the case that we communicate with an functional interface
like OGSA-BES - we agree on SOAP.

### TLS/SSL Layer:

# <strawman>
Foundational: Conveying identity for authentication.
SOAP over HTTPS (PGI_HTTPS).  SOAP-over-HTTP communication using a SSL/TLS
transport protocol in which endpoints are mutually authenticated by X.509
end-entity public key certificates (PKCs).
# </strawman>

# <simple plumbings: authentication>
We use authentication either based on identities inside X.509 end-entity
public key certificates or X.509 proxies (including restrictions, encoding
handled separately in another thread). 

This refers of using either one or the other of these certificate types on
the SSL/TLS level.

For simplification of the profile - there should be no direct dependencies
with attribute-transport used for authorization.
# </plumbings>

### Possible scenarios:

# A. TLS with end-entity certificate, SOAP in message -> authN check with CA

# B. TLS with (restricted) proxy certificates, SOAP in message -> authN
check with proxy signer chain

### Possible Conclusion:

# We use SOAP inside a message to contact functional interfaces.

# We use either full X.509 end-entity certificates OR X.509 proxies (with
restrictions)

### Open Questions:

Q: There are WS interfaces for functional specifications that matter to PGI
(BES, WS-DAIS and SRM) - so in the context of PGI - can we agree on SOAP
based on HTTPS as mentioned above? 

Q: If not - are there any important functional interfaces (except support
interfaces from AAs like classic VOMS) that do not support SOAP in the PGI
ecosystem?

Please feel free to comment but let the question of attributes+restrictions
outside -  I propose to deal with it in separate threads because of their
complexity.

Take care,
Morris 

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090319/8455b425/attachment.bin 