[Pgi-wg] Sec: Agreement on attribute transport mechanismsforAttrAuthZ
m.riedel at fz-juelich.de
m.riedel at fz-juelich.de
Fri Mar 20 08:51:08 CDT 2009
Howdy,
>- I do code for doing authentication with and without proxies. And I never
noticed significant difference.
We do to - difference, for example, would be to climb the proxy chain using the "specific path validation algorithm" which is not needed by using typical X.509 certs.
>- So why not to use last option? Or am I missing something?
As I said before - probably not all services understand normal TLS and require proxies where pure PGI_TLS is not correct - e.g. CREAM-BES I know from my own experience so far.
>- If (a) covers (b) then "either (a) or (b)" is not achievable.
my fault - (a) should be rather in the questions section, but an answer from gLite may help to understand.
Take care,
Morris
--------------------------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Central Institute of Applied Mathematics
Research Centre Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany
Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
'We work to improve ourselves and the rest of mankind.'
----- Original Message -----
From: Aleksandr Konstantinov <aleksandr.konstantinov at fys.uio.no>
Date: Friday, March 20, 2009 12:26 pm
Subject: Re: [Pgi-wg]Sec: Agreement on attribute transport mechanisms forAttrAuthZ
> On Friday 20 March 2009 12:08, Morris Riedel wrote:
> > Good morning Aleksandr,
> >
> >
> > >-I see no reason for "either". Also it would be nice to
> define used
> > terms.
> > >-AFAIK there are no restrictions for using X.509 proxies (aka
> PC) in TLS.
> > As long as
> > >-we are talking about
> > >-standardaized PCs (RFC 3820) of course.
> > >-For infrastructures relying on full or partial/restricted
> X.509 identity
> > delegation PC
> > >-(proxy certificate) is
> > >-a must. But I see no reason why that should exclude usage of
> ordinary> X.509
> > >-certificates/keys as
> > >-mean for identifying (direct or through attributes)
> communicating parties.
> >
> >
> > The reason is basically to precisely define what an endpoint
> supports, if do
> > not define this precisely interoperability will break since
> there is a big
> > difference using TLS with or without proxies for the authN
> check. The either
>
> I do code for doing authentication with and without proxies. And I
> never
> noticed significant difference.
>
> > is a reason to make it more simpler although there is a polymorphic
> > dependency, but this is not always helpful for the implementations.
> >
> > Example:
> >
> > (a)
> > For instance, if we would only claim that the UNICORE Gateway
> (AuthN check
> > for end-users) supports the PGI_TLS w/o knowing if it uses
> proxies or not:
> >
> > If you then use your ARC-Client with proxies and access the
> Gateway you
> > fail, because the AuthN check only checks for full end-entity
> certificates.>
> > (b)
> > For instance, if we would claim that UNICORE Gateway supports
> PGI_GSI (so
> > proxies including some newly defined PGI revocation mechanism
> since this is
> > a general GSI problem, or proxy problem although they have
> limited lifetime)
> > :
> >
> > If you then use your ARC client with proxies and access the
> Gateway you win,
> > because the AuthN check climbs up the whole proxy-hierarchy.
> >
> > If we use our own UNICORE Client with full end-entity
> certificates it works
> > as well since PGI_GSI MAY include PGI_TLS (your polymorphic item).
>
> So why not to use last option? Or am I missing something?
>
> >
> > ### Conclusions and motivation for either:
> >
> > (a)
> > So clearly every service that do supports PGI_GSI is able to
> accept client
> > request based on PGI_TLS only
> >
> > (b)
> > But every service that purely supports PGI_TLS is not able to
> accept client
> > requests based on PGI_GSI
> >
> > Bottom line: the either is needed for differentiation including
> inherently> your statement of polymorphism that only indicated
> 'one direction' or 'is-a'
> > and not the other direction!
>
> If (a) covers (b) then "either (a) or (b)" is not achievable.
>
>
> A.K.
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------
More information about the Pgi-wg
mailing list