[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ

Moreno Marzolla moreno.marzolla at pd.infn.it
Fri Mar 20 09:55:41 CDT 2009 

m.riedel at fz-juelich.de wrote:
> Hi,
> 
>> - This is the problem you mentioned which we experienced during the 
> OMII-EU project: BES clients were not executing the delegation 
> operation, so the service did not have any delegated credentials to use. 
> We then implemented a horrible workaround in CREAM which was fine for 
> demonstration purposes, but unfortunately can not be applied for any 
> real use.
> 
> 
> ok, that's interesting - if you don't extract the proxy obviously then from TLS level during AuthN steps - why is there still a proxy support needed on the TLS level then?! 

I answer your question according to the understanding I just gained from 
our security experts, so bear with me :-)
The gLite middleware relies on VOMS extensions to associate roles to 
users according to the VO they belong to. If you use plain X509 
certificates, of course you don't have any VO information there, so it 
is not possible for services to assign roles to the bearer of those 
certificates.
Suppose you want to submit a job to CREAM, and the job needs to stage 
external data to/from a service which DOES require VO extensions in 
order to perform authorization decisions. In this situation you need at 
least to delegate to CREAM a certificate with VOMS extensions (the 
delegated certificate will be used by CREAM to access external resources 
on behalf of the user).
Of course, if you have an X509 certificate signed by a "conventional" 
certification authority, you cannot stick VOMS extensions inside it. For 
this reasons, when gLite users want to interact with CREAM directly, 
they first create a VOMS proxy certificate via the voms-proxy-init 
command. Thus, using a proxy to interact with CREAM is only needed to 
have VOMS extensions inside the credential used to interact with the 
service.
If your job does not require to access any external service, OR if that 
external service does not rely on VOMS extensions, then you are 
perfectly fine using plain X509 certificates only.

Moreno.

-- 
Moreno Marzolla
INFN Sezione di Padova,    via Marzolo 8,   35131 PADOVA,  Italy
EMail: moreno.marzolla at pd.infn.it         Phone: +39 049 8277103
WWW  : http://www.dsi.unive.it/~marzolla  Fax  : +39 049 8756233

More information about the Pgi-wg mailing list