[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ

m.riedel at fz-juelich.de m.riedel at fz-juelich.de
Fri Mar 20 09:35:29 CDT 2009 

Hi,

>- This is the problem you mentioned which we experienced during the 
OMII-EU project: BES clients were not executing the delegation 
operation, so the service did not have any delegated credentials to use. 
We then implemented a horrible workaround in CREAM which was fine for 
demonstration purposes, but unfortunately can not be applied for any 
real use.


ok, that's interesting - if you don't extract the proxy obviously then from TLS level during AuthN steps - why is there still a proxy support needed on the TLS level then?! 

Q: It looks like now all middlewares can be accessed then easily with using full end-entity certificates: UNICORE, GENESIS-II, gLite,.. What about ARC?

Thanks for pointing this out Moreno - indeed helpful - I missed that new fact.

Take care,
Morris




--------------------------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Central Institute of Applied Mathematics
Research Centre Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email:  m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel

Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

'We work to improve ourselves and the rest of mankind.'

----- Original Message -----
From: Moreno Marzolla <moreno.marzolla at pd.infn.it>
Date: Friday, March 20, 2009 3:25 pm
Subject: Re: [Pgi-wg] Sec: Agreement	on	attribute transportmechanismsforAttrAuthZ

> m.riedel at fz-juelich.de wrote:
> > Hi,
> > 
> >> -  The gLite CREAM CE can be accessed either with pure TLS (X509
> > certificate) or using GSI (proxy-based) authentication. I think that
> > the same holds for other gLite components as well.
> > 
> > 
> > So your service can work w/o proxies? Maybe for the initial 
> AuthN yes
> > - but for further use I guess you require a proxy for forwarding to
> > CREAM or so?!
> 
> You can invoke any CREAM operation using either a plain X509 
> certificate, or a proxy certificate. In either case you can use 
> the 
> service without problems. HOWEVER, in order to submit a job you 
> NEED to 
> delegate a proxy to CREAM by first invoking the delegation port-
> type. 
> Once you have delegated a proxy, you can create/cancel/monitor 
> your jobs 
> with plain X509 certificates.
> 
> Note that in order to contact the delegation port-type you can use 
> either an X509 certificate, or a proxy certificate.
> 
> So, a client with *only* an X509 certificate can perform any 
> operation 
> on CREAM, PROVIDED that FIRST it delegates its credential to CREAM 
> by 
> performing a delegation operation. A client with a delegated proxy 
> can 
> also execute any operation on CREAM, provided that it further 
> delegates 
> its credentials to CREAM.
> 
> This is the problem you mentioned which we experienced during the 
> OMII-EU project: BES clients were not executing the delegation 
> operation, so the service did not have any delegated credentials 
> to use. 
> We then implemented a horrible workaround in CREAM which was fine 
> for 
> demonstration purposes, but unfortunately can not be applied for 
> any 
> real use.
> 
> Moreno
> 
> -- 
> Moreno Marzolla
> INFN Sezione di Padova,    via Marzolo 8,   35131 PADOVA,  Italy
> EMail: moreno.marzolla at pd.infn.it         Phone: +39 049 8277103
> WWW  : http://www.dsi.unive.it/~marzolla  Fax  : +39 049 8756233
> 
> 



-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

More information about the Pgi-wg mailing list