[Pgi-wg] Sec: Agreement on SOAP and authentication

m.riedel at fz-juelich.de m.riedel at fz-juelich.de
Fri Mar 20 09:11:13 CDT 2009 

Subject indicates : we are at authentication - so let's keep to GSI in the context of TLS - Thanks



--------------------------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Central Institute of Applied Mathematics
Research Centre Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email:  m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel

Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

'We work to improve ourselves and the rest of mankind.'

----- Original Message -----
From: Duane Merrill <dgm4d at virginia.edu>
Date: Friday, March 20, 2009 2:01 pm
Subject: Re: [Pgi-wg] Sec: Agreement on SOAP and authentication

> GSI encompasses MyProxy, Delegation Service, Community Authorization
> Service.  GSI does not include binding of attribute certificates 
> within PKCs
> or PCs.  So GSI is an overlapping but different set of features 
> than we are
> talking about right here.
> 
> Besides, to my knowledge, GSI supports vanilla PKCs as well as PCs.
> 
> -Duane
> 
> On Thu, Mar 19, 2009 at 1:27 PM, <m.riedel at fz-juelich.de> wrote:
> 
> > Hi,
> >
> >  ok let's put it as follows: I meant "proxy-based TLS == GSI" - 
> maybe a bit
> > simplified but isn't it clear in the context here? But we can 
> talk about GSI
> > then...
> >
> > Yeah GridFTP is an important service but indeed with no WS-
> interface, so
> > out of scope here.
> >
> > What do you think about the "either-or" dependency to nail it 
> down more
> > precisely.
> >
> > Take care,
> > Morris
> >
> >
> >
> >
> >
> >
> > -----------------------------------------------------------------
> ---------------
> > Morris Riedel
> > SW - Engineer
> > Distributed Systems and Grid Computing Division
> > Central Institute of Applied Mathematics
> > Research Centre Juelich
> > Wilhelm-Johnen-Str. 1
> > D - 52425 Juelich
> > Germany
> >
> > Email:  m.riedel at fz-juelich.de
> > Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel
> >
> > Phone: +49 2461 61 - 3651
> > Fax: +49 2461 61 - 6656
> >
> > Skype: MorrisRiedel
> >
> > 'We work to improve ourselves and the rest of mankind.'
> >
> > ----- Original Message -----
> > From: weizhong qiang <weizhongqiang at gmail.com>
> > Date: Thursday, March 19, 2009 3:51 pm
> > Subject: Re: [Pgi-wg] Sec: Agreement on SOAP and authentication
> >
> > > hi,
> > > I think the issue you proposed can be divided into branches (since
> > > HTTPS is
> > > actually http + tls/ssl):
> > > 1. If all of the PGI services use SOAP (i.e. Web Service 
> interface)?> > 2. If all of the PGI services use TLS?
> > > For the first one, at least GridFTP service is excluded, while it
> > > is widely
> > > used by production grid.
> > > For the second, maybe most of the services are based on secure
> > > transportcommunication, but some of them are using GSI (SRM
> > > service: SOAP + GSI?)
> > >
> > > In terms of ARC, the A-REX service (for job management, supporting
> > > BES,JSDL) is using SOAP plus TLS, while it is also 
> configurable to
> > > support SOAP
> > > plus GSI.
> > >
> > > Regards,
> > > Weizhong
> > >
> >  > 2009/3/19 Morris Riedel <m.riedel at fz-juelich.de>
> > >
> > > > Hi security folks,
> > > >
> > > >
> > > >  reading certain elements of the IIRM, strawman, and following
> > > discussions> on the list - I see there is still no common
> > > agreement on SOAP / HTTP(S) in
> > > > some areas.
> > > >
> > > > ### Goal:
> > > >
> > > > (a)
> > > > We are discussing if SOAP / HTTPS can be used in PGI to 
> contact a
> > > > functional
> > > > interface (like BES)...
> > > >
> > > > (b)
> > > > ...because we want to find out if there is any important service
> > > in the PGI
> > > > context that is not capable of using SOAP (over SSL layer)...
> > > >
> > > >
> > > > (c)
> > > > ... in order to find out if we can agree on SOAP/HTTPS or to
> > > understand> requirements from other non WS-based interfaces in 
> PGI.> > >
> > > >
> > > > Therefore the aim of this thread is to get to an agreement in
> > > this context,
> > > > while considering Attribute authorities like VOMS as a
> > > supportive service
> > > > and not an functional interface (also separate thread).
> > > >
> > > > ### Contacting functional implementations with SOAP
> > > >
> > > > If we consider the case that we communicate with an functional
> > > interface> like OGSA-BES - we agree on SOAP.
> > > >
> > > > ### TLS/SSL Layer:
> > > >
> > > > # <strawman>
> > > > Foundational: Conveying identity for authentication.
> > > > SOAP over HTTPS (PGI_HTTPS).  SOAP-over-HTTP communication using
> > > a SSL/TLS
> > > > transport protocol in which endpoints are mutually authenticated
> > > by X.509
> > > > end-entity public key certificates (PKCs).
> > > > # </strawman>
> > > >
> > > >
> > > > # <simple plumbings: authentication>
> > > > We use authentication either based on identities inside X.509
> > > end-entity
> > > > public key certificates or X.509 proxies (including
> > > restrictions, encoding
> > > > handled separately in another thread).
> > > >
> > > > This refers of using either one or the other of these
> > > certificate types on
> > > > the SSL/TLS level.
> > > >
> > > > For simplification of the profile - there should be no direct
> > > dependencies> with attribute-transport used for authorization.
> > > > # </plumbings>
> > > >
> > > >
> > > > ### Possible scenarios:
> > > >
> > > > # A. TLS with end-entity certificate, SOAP in message -> authN
> > > check with
> > > > CA
> > > >
> > > > # B. TLS with (restricted) proxy certificates, SOAP in 
> message -
> > > > authN
> > > > check with proxy signer chain
> > > >
> > > > ### Possible Conclusion:
> > > >
> > > > # We use SOAP inside a message to contact functional interfaces.
> > > >
> > > > # We use either full X.509 end-entity certificates OR X.509
> > > proxies (with
> > > > restrictions)
> > > >
> > > > ### Open Questions:
> > > >
> > > >
> > > > Q: There are WS interfaces for functional specifications that
> > > matter to PGI
> > > > (BES, WS-DAIS and SRM) - so in the context of PGI - can we agree
> > > on SOAP
> > > > based on HTTPS as mentioned above?
> > > >
> > > > Q: If not - are there any important functional interfaces
> > > (except support
> > > > interfaces from AAs like classic VOMS) that do not support SOAP
> > > in the PGI
> > > > ecosystem?
> > > >
> > > >
> > > > Please feel free to comment but let the question of
> > > attributes+restrictions> outside -  I propose to deal with it in
> > > separate threads because of their
> > > > complexity.
> > > >
> > > >
> > > > Take care,
> > > > Morris
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------
> > > > Morris Riedel
> > > > SW - Engineer
> > > > Distributed Systems and Grid Computing Division
> > > > Jülich Supercomputing Centre (JSC)
> > > > Forschungszentrum Juelich
> > > > Wilhelm-Johnen-Str. 1
> > > > D - 52425 Juelich
> > > > Germany
> > > >
> > > > Email: m.riedel at fz-juelich.de
> > > > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> > > > Phone: +49 2461 61 - 3651
> > > > Fax: +49 2461 61 - 6656
> > > >
> > > > Skype: MorrisRiedel
> > > >
> > > > "We work to better ourselves, and the rest of humanity"
> > > >
> > > > Sitz der Gesellschaft: Jülich
> > > > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR 
> B 3498
> > > > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> > > > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> > > > Dr. Ulrich Krafft (stellv. Vorsitzender)
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Pgi-wg mailing list
> > > > Pgi-wg at ogf.org
> > > > http://www.ogf.org/mailman/listinfo/pgi-wg
> > > >
> > > >
> > >
> >
> >
> >
> > -----------------------------------------------------------------
> --
> > -----------------------------------------------------------------
> --
> > Forschungszentrum Jülich GmbH
> > 52425 Jülich
> >
> > Sitz der Gesellschaft: Jülich
> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> > Vorsitzende des Aufsichtsrats: MinDir'in Bärbel Brumme-Bothe
> > Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
> > Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
> > Dr. Sebastian M. Schmidt
> > -----------------------------------------------------------------
> --
> > -----------------------------------------------------------------
> --
> >
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/pgi-wg
> >
> 



-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Bärbel Brumme-Bothe
Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

More information about the Pgi-wg mailing list