[Pgi-wg] OGF PGI - Security Model

Duane Merrill dgm4d at virginia.edu
Tue Mar 24 18:12:02 CDT 2009 

Looks like a good foundation.  A couple of comments/suggestions:

   - Section (7.1.1).  This section discusses the necessity for
   shared-semantics amongst authorization token formats.  Instead of "VOMS
   extensions", which is unclear what that means, I think you mean
   "FQAN-equivalent semantics for describing VO groups/roles."


   - Section (7.2).  If we have the semantic equivalences described in
   (7.1), then the incoming message-processing stack of a PGI-compliant service
   endpoint should be able process all three types of client-credentialing
   mechanisms equivalently:


    - Clients supply SAML attributes authenticated by End-Entity
      Certificates at the SOAP level (*Idealized Unicore*)
      - Clients supply SAML attributes authenticated by Proxy-Certificates
      at the SOAP level (*Idealized Genesis II*)
      - Clients supply VOMS-style Attribute Certificates authenticated by
      (and embedded within) Proxy Certificates at the SSL/TLS level (*Idealized
      gLite/ARC/Naregi*)

 By the time message-processing reaches a policy-decision module, the
service has distilled an authenticated set of distinguished names, FQAN
groups/roles, and restriction policies that look the same, independent of
how they were supplied.

By mandating a "receiver-makes-right" strategy (section 7.7), you
obviate the complexity of sections (7.3) and (7.5).  Such reduced complexity
affords us a quicker incremental roadmap in which clients can remain largely
unchanged, while additional infrastructure complexity is only initially
needed at those service endpoints intended for advertisement within multiple
infrastructures.


   - Section (7.4).  Be careful with your language: do not mandate the
   management of authz/authn information not relevant to inter-grid
   interaction.  (E.g., Genesis II does not make use of local-UID mappings ).



   - The document is missing a brief consensus on SOAP-over-HTTPS
   communication that mandates a specific variant of SSL/TLS (i.e., anything
   that implements RFC-2246, The TLS Protocol Version 1.0, which excludes
   GSI-OpenSSH.)


-Duane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090324/d196c943/attachment.html

More information about the Pgi-wg mailing list