[Pgi-wg] Sec: Agreement on attribute transportmechanismsforAttrAuthZ

m.riedel at fz-juelich.de m.riedel at fz-juelich.de
Fri Mar 20 09:00:07 CDT 2009 

Howdy,

>-PGI_TLS_PROXY (the notation is also in the virginia strawman)
>-PGI_GSI

 so in this context what is the difference on TLS itself w/o considering different APIs?!

Good  point in checking this out - I'm still think its rather the same.

Thanks for clarification,
Morris



--------------------------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Central Institute of Applied Mathematics
Research Centre Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email:  m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel

Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

'We work to improve ourselves and the rest of mankind.'

----- Original Message -----
From: weizhong qiang <weizhongqiang at gmail.com>
Date: Friday, March 20, 2009 1:10 pm
Subject: Re: [Pgi-wg] Sec: Agreement on attribute transport mechanismsforAttrAuthZ

> hi,
> 
> PGI_TLS and PGI_GSI were mentioned by you in a few thread.
> Again, I would like clarify something from my point of view.
> Do you mean PGI_GSI the services/clients that talk to each other 
> by using
> GSSAPI?
> or just talk to each other based on TLS while using proxy 
> certificate. I
> think there is difference between them.
> So I would divide them into branch by using your notation:
> PGI_TLS
> PGI_TLS_PROXY (the notation is also in the virginia strawman)
> PGI_GSI
> 
> 
> 2009/3/20 Morris Riedel <m.riedel at fz-juelich.de>
> 
> >  Hi,
> >
> >
> >
> > >- My personal thinking is, since we are talking about PGI or
> > interoperability, we probably do need to change the current 
> implementation> if it can not satisfy interoperability, while 
> keeping the principle that the
> > change should be as little as possible.
> >
> >
> >
> > In terms of little changes I agree – but I consider PGI_TLS / 
> PGI_GSI as
> > massive changes.
> >
> >
> >
> > For instance, we have developed a UNICORE Gateway (for AuthN) 
> that works
> > with PGI_TLS naturally – and PGI_GSI more recently providing of 
> course not
> > FULL delegation support per hop, but proxies are supported on 
> GSI-TLS level.
> >
> >
> >
> >
> >
> > However, can we expect that you one contact a CREAM-BES any time 
> soon with
> > full end-entity credentials or any other gLite component?
> >
> The CREAM service has been tested (by some of our colleagues) . 
> And the
> result shows CREAM service requires "limited" proxy certificate 
> (proxy with
> "CN=proxy") when it doing data transfer.
> 
> Inherently, because of forwarding mechanisms internally – proxies are
> > necessary probably.
> >
> >
> >
> > But maybe that’s my old interop* knowledge – so let’s clarify again…
> >
> >
> >
> > Some statements that need clarification:
> >
> >
> >
> > Note: UNICORE can be contacted using PGI_TLS and PGI_GSI – the 
> same is
> > planned for GENESIS-II as far as I remember.
> >
> "and PGI_GSI" means PGI_TLS_PROXY or PGI_GSI?
> From out experience about testing against UNICORE service, it uses
> PGI_TLS_PROXY.
> 
> 
> >
> >
> >
> > Q: Do gLite also supports pure PGI_TLS apart from PGI_GSI?
> >
> >
> >
> >
> >
> > Q: Do ARC also supports pure PGI_TLS apart from PGI_GSI?
> >
> PGI_TLS
> PGI_TLS_PROXY
> possible to support PGI_GSI (the definition I mentioned)
> 
> 
> >
> >
> >
> >
> > Q: Do we really imply that PGI-compliance means that both 
> PGI_GSI and pure
> > PGI_TLS have to be supported? Or we rather go the plumbing way 
> of defining
> > either or as MANDATORY and as MAY both supported (two plumbings).
> >
> I see PGI_TLS_PROXY should be mandatory.
> 
> Regards,
> 
> Weizhong
> 
> 
> >
> > Thanks for clarification,
> >
> > Morris
> >
> >
> >
> >
> >
> > *From:* Steven Newhouse [Steven.Newhouse at cern.ch]
> > *Sent:* Friday, March 20, 2009 11:49 AM
> > *To:* weizhong qiang; Morris Riedel
> > *Cc:* pgi-wg at ogf.org
> > *Subject:* RE: [Pgi-wg] Sec: Agreement on attribute transport
> > mechanismsforAttrAuthZ
> >
> >
> >
> > My personal thinking is, since we are talking about PGI or
> > interoperability, we probably do need to change the current 
> implementation> if it can not satisfy interoperability, while 
> keeping the principle that the
> > change should be as little as possible.
> >
> >
> >
> > And to clearly describe the interoperability benefits that will 
> be derived
> > (i.e. systems and communities) by making that change.
> >
> >
> >
> > Steven
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/pgi-wg
> >
> >
> 



-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Bärbel Brumme-Bothe
Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

More information about the Pgi-wg mailing list