[Pgi-wg] Sec: Agreement on supported Attribute AuthorityInterfaces

m.riedel at fz-juelich.de m.riedel at fz-juelich.de
Thu Mar 19 12:34:48 CDT 2009 

Hi,

  sorry for the confusion - the goal is here simply to find out if there are other ways in infrastructures except [SAML-based VOMS, classic AC VOMS, Shibboleth] to retrieve attributes and if we may can skip the need for Shib* ways of doing it.


I think standardization of the Classic AC VOMS interface is out of scope while the standardization of the SAML-based VOMS interface is done by SAML. But we should state in the document both as examples of retrieving attributes to get the profile more clear.


I got from the mail of you about EGEE (I refered to in my mail) that we have to support Classic AC VOMS, which in turn means to look closer on the "AC embedded proxy" approach in our profile (other upcoming e-mail thread). You may see it as a precondition before looking closer to the precise encoding of transport mechanism.


Hope that helps,
Morris





--------------------------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Central Institute of Applied Mathematics
Research Centre Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email:  m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel

Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

'We work to improve ourselves and the rest of mankind.'

----- Original Message -----
From: Steven Newhouse <Steven.Newhouse at cern.ch>
Date: Thursday, March 19, 2009 3:55 pm
Subject: RE: [Pgi-wg] Sec: Agreement on supported Attribute Authority	Interfaces

> Hi Morris,
> 
> I'm confused by the context here... are you suggesting we look to 
> standardise the VOMS interface (or the service that serves up the 
> proxy that) or the proxy and its content itself?
> 
> Thanks,
> 
> Steven
> 
> Dr Steven Newhouse
> EGEE Technical Director
> http://cern.ch/Steven.Newhouse
> 
> 
> > -----Original Message-----
> > From: pgi-wg-bounces at ogf.org [pgi-wg-bounces at ogf.org] On Behalf
> > Of Morris Riedel
> > Sent: 19 March 2009 14:22
> > To: pgi-wg at ogf.org
> > Subject: [Pgi-wg] Sec: Agreement on supported Attribute Authority
> > Interfaces
> > 
> > Hi PGI security folks,
> > 
> >   another issue I see is the supported attribute authorities and 
> (more> notably) their interfaces.
> > 
> > Taking our experience from GIN into account and addressing the 
> message> of Steven (EGEE) there are still two interfaces to 
> consider in terms of
> > VOMS.
> > Also, as an alternative AA there is Shibboleth quite much used 
> in the
> > space.
> > 
> > ### goal
> > 
> > (a)
> > We are discussing which AA can be used in PGI to retrieve 
> attributes...> 
> > (b)
> > ...because we want to find out which interfaces have to be 
> supported to
> > get attributes...
> > 
> > 
> > (c)
> > ... in order to know more precisely which types of attribute 
> transport> mechanisms we have to support in PGI.
> > 
> > ### Possible scenarios
> > 
> > A. A user contacts a non-WS-based classic VOMS with a proprietary
> > interface, but gets a standardized RFC AC back with the attributes
> > signed by the VOMS.
> > (later on these are used within extensions of RFC proxies for 
> attr-
> > authZ)
> > 
> > B. A user contacts a WS-based VOMS with SAML-REQUEST-interface 
> standard> and gets a standardized SAML Assertion back signed by 
> the VOMS service.
> > (later on these are used within WS-SecExt within SOAP Headers)
> > 
> > C. A user contacts a Shibboleth system (possibly w/o WAYF) using 
> SLCs> with SAML assertions inside its extensions.
> > 
> > D. A user contacts MyProxy with a stored proxy using ACs in its
> > extension (implies no new attribute transport mechanism), but 
> possibly> a new interface of getting (indirectly) attributes.
> > 
> > 
> > I see the agreement on the elements of this e-mail thread as a
> > prerequisite to agree on the mechanisms of which attribute 
> formats we
> > support and how we convey attributes precisely (separate email 
> thread).> 
> > ### Possible conclusion:
> > 
> > A. We only reference in our profile possible ways of retrieving 
> either> ACs or SAML assertions (e.g. by pointing to the SAML-
> request document
> > that is in public comment currently as mentioned earlier). We do not
> > intend to profile how exactly a user gets its attributes.
> > 
> > B. If we agree on A - we indirectly agree on attribute push 
> since in
> > the attribute pull mode - for interoperability reasons - the 
> interface> of getting attributes must be known so that the 
> middleware can contact
> > it on behalf of the user!
> > 
> > C. We deal with RFC ACs
> > 
> > D. We deal with SAML assertions
> > 
> > E. We only consider C+D in the first iteration of the profile
> > 
> > 
> > 
> > ### open Questions
> > 
> > Q: Can we agree on these conclusions? Are there any comments -
> > something I missed?
> > 
> > Q: Is there any production infrastructure that largely supports
> > Shibboleth w/o supporting VOMS either in classic or WS style?
> > 
> > 
> > 
> > 
> > Please consider the attribute - and its transport mechanisms out of
> > scope in this e-mail thread.
> > 
> > 
> > Take care,
> > Morris
> > 
> > ------------------------------------------------------------
> > Morris Riedel
> > SW - Engineer
> > Distributed Systems and Grid Computing Division Jülich 
> Supercomputing> Centre (JSC) Forschungszentrum Juelich Wilhelm-
> Johnen-Str. 1 D - 52425
> > Juelich Germany
> > 
> > Email: m.riedel at fz-juelich.de
> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> > Phone: +49 2461 61 - 3651
> > Fax: +49 2461 61 - 6656
> > 
> > Skype: MorrisRiedel
> > 
> > "We work to better ourselves, and the rest of humanity"
> > 
> > Sitz der Gesellschaft: Jülich
> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft
> > (stellv. Vorsitzender)
> > 
> 
> 



-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Bärbel Brumme-Bothe
Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

More information about the Pgi-wg mailing list